Our center of research has been hacked. Probably first our FTP server, and from it all the others running computers.
We have one master datalogger (a CR3000), and 9 slave dataloggers (7 CR1000s and 2 CR3000s). The master datalogger retrieves the datas from the slave dataloggers every 15 min by ethernet (each slave datalogger has a NL115 module). All the dataloggers are on the same local network (192.168.1.x)
We have one "Acquisition" computer with LoggerNet permanantly running to retrieve the datas from the master datalogger every 15 minutes. Then our ftp server retrieves the data files from the acquisition computer every hour.
Both the ftp server and the "Acquisition" computer have been hacked.
The question is, is there a risk that the dataloggers have also been hacked? More specifically, is there a risk that a virus (active or dormant) has been uploaded in one or several of the dataloggers?
There shouldn't be an issue unless the "hacker" ran LoggerNet and upload the virus files directly to the dataloggers. You should be able to check the file system of the dataloggers by looking in File Manager in LoggerNet. Any files that are not CRBasic programs. data files, or the .csipasswd should be removed from the logger if they appear.
If you want to be really sure you can download all the data from the loggers and then (re)install the firmware to get a clean sheet (needs direct access to the logger, RS232/USB only afaik). See this part of the DeviceConfigUtility for the SendOS tab of a Logger:
This page is used to download an operating system to the CR1000X using the datalogger's boot code. As a result of this process, the datalogger will reset all of its memory including programs, data, and settings. ..
I doubt CR loggers are such a good target that there are 'boot-sector/loader' viruses/scripts for their MCU/CPUs so just reinstalling the firmware (while you're at it, upgrade to the latest for the model) will be more than enough.
Then put on the program (after cheking it), reinstate the settings for networks/passwords/etc. and you're good to go.
This post is under review.