I currently have OSMC installed on a Raspberry Pi3. According to my router (ASUS RT-N16 running AdvancedTomato CFW), the IP associated with the OSMC machine accesses strange websites and makes random searches every couple of minutes (image of the log).
Not sure if relevant, but I also have Sonarr installed on the Pi. Nothing else has been installed as far as I know. Just wondering if this is expected behavior, and if not, what I can do to prevent it?
No – it’s not expected behaviour, but it’s unclear how you’ve customised your system, or if you’ve port forwarded anything.
OSMC will only access Debian APT repos and OSMC.tv domains by default.
I assume the IP is static and there is no chance of any other device claiming it?
Correct, it is static. I have forwarded ports 20-22 to access FTP and port 8989 to access Sonarr. Is there a log I can upload that would give you more info about my system customization?
Standard OSMC log may give some clues, yes.
But I would suggest a fresh installation if you think your system is compromised.
it just means you either turned on SSH and left the default username and password and become part of a Russian botnet or they are just using your raspberry pi for crypto mining.
disable SSH password once you format your SD card and use ssh keys only unless you know what you’re doing.
And install ufw. I also notice some weird stuff in my log files one time, but since i installed this firewall and set it up, everything was fine. Here are some links on how to do it:
Which command do i run to check if my osmc is accessing websites like the pic on your post?
Thanks
I don’t know that, probably depends on your router capabilities, but I regularly check my visibility at GRC | Gibson Research Corporation Home Page using shields-up.
It’ll be on the router firmware.
As the others wrote you normally would do it on the router (especially as on the device itself even the monitoring application might be infected.
But generally you can use tcpdump to watch all traffic. Basically you could monitor the DNS requests from the Pi as a starting point.
Or you can use iptraf
Thank you, this is most likely the case, since I don’t know a lot about setups, etc and just followed a guide. I will re-install and give the ideas in this thread a try.
could this be a case of a compromised / unreliable add-on acting up?
In OPs case, probably not. In general though, sure, it’s possible.
