I saw that i had an update today, but by mistake i clicked no on the restart, so i manually restarted the update and rebooted the pi.
Now that i logged in the console and did a history i saw this:
426 if type "killall" > /dev/null 2>&1; then if [ $USER == "root" ]; then killall -9 xbmc.bin; else sudo killall -9 xbmc.bin; fi; elif type "service" > /dev/null 2>&1; then if [ $USER == "root" ]; then service xbmc stop; service xbmc start; else sudo service xbmc stop; sudo service xbmc start; fi; else if [ $USER == "root" ]; then initctl stop xbmc; sleep 5; initctl start xbmc; else sudo initctl stop xbmc; sleep 5; sudo initctl start xbmc; fi; fi; echo 'CMD_FINISH_A26CBBE9-FE3E-4D8E-ADED-95610A58722E';
427 if [ $USER == "root" ];then reboot; else sudo reboot; fi; echo 'CMD_FINISH_5F0E8773-DC86-4D83-9E0F-B6F7217AF5D7';
Is this from the update or should i start freaking out someone has hacked my lan and accessed my pi ?
Whatever that is, does not come from any of our OSMC updates, and it looks highly suspect and bizarre.
Also very old, because kodi has been kodi.bin not xbmc.bin since Gotham. (Eg more than a year ago)
You think an addon could do that ? This was in the root history btw…not the user history.
initctl start xbmc looks like old Raspbmc commands.
did you restore a raspbmc backup?
Sam
Nope, nothing. I installed Trasmission about 2 weeks ago. Last week i added an external HD and since then nothing else…besides an htop about 4 days ago to see how the cpu was doing.
After that the above post happened. Got a message for the update, and did it manually, then i saw that vnc didnt start, so i went into console to do history and check how i started it last time and saw this:
423 htop
424 exit
425 rpm -qa | grep -i trans
426 if type "killall" > /dev/null 2>&1; then if [ $USER == "root" ]; then killall -9 xbmc.bin; else sudo killall -9 xbmc.bin; fi; elif type "se rvice" > /dev/null 2>&1; then if [ $USER == "root" ]; then service xbmc stop; service xbmc start; else sudo service xbmc stop; sudo service xbmc st art; fi; else if [ $USER == "root" ]; then initctl stop xbmc; sleep 5; initctl start xbmc; else sudo initctl stop xbmc; sleep 5; sudo initctl start xbmc; fi; fi; echo 'CMD_FINISH_A26CBBE9-FE3E-4D8E-ADED-95610A58722E';
427 if [ $USER == "root" ];then reboot; else sudo reboot; fi; echo 'CMD_FINISH_5F0E8773-DC86-4D83-9E0F-B6F7217AF5D7';
428 history
I am not even sure i did the 425 line.
Edit: I had even added a user/pass in transmission when i installed it so it couldnt be that.
I’ve changed all my passwords since i saw this to something more difficult to ‘crack’…hopefully it was a one time thing.
If you did not type those commands, your device has been compromised
Try last -9 to see logins and see if you spot something unusual, I suspect however the person may have cleared some of the logs.
Format immediately and check other Devices on the network.
They are all mine…some from the iphone, some from my PC…
Damn it.
Will do a format.
Thanks guys.
Be careful with port forwarding
Sam
Yeah, i know…freaking hackers…wont leave me alone…mehhhh. Even if they do get access again to the LAN my pc can block them out…I did detect some ‘sniffing’ on my ntfs shares once (from outside to my pc), probably came through the pi2 but my firewalls got them.