RPi 1 PRIVNUT1 process

Hello guys! I have an RPi 1 with 512 mb RAM. I am using OSMC for some time and recently it start to be bottleneck by some processes called PRIVNUT1. I reinstall OSMC with latest version but the same problem. If i restart the RPi its fine for a few hours. Maximum are around 8. Does anyone knows whats the source of problem? I dont have any addons except transmission. http://imgur.com/a/bhUkJ

Secure your network. privnut is actual malware running on your system.
Something is putting it in there.

You have a link? Oddest thing to me is that Google returns zero information on this.

That is the problem. But on all my PI’s I don’t have that process running (4 of them) and I am a security fanatic at home (Network is segmented, secured etc.).
Also your screenshot shows these to use up 24%CPU and there is a “transparent” process name (1 line on top of the 2 privnut1 processes).
Taken into account that it was reinstalled - this screams to me: Malware… and usually I am guessing right.

If I could get a copy of that file (privnut), I coult check it a little more in detail.
it could also be that an Add On was installed, and this one is doing something after that time.
But - a find / -name "privnut*" on my devices returned nothing.

Hmmmm… Quite odd…

So I would be interested if OP is port forwarding ssh22 from the outside?

I have reinstalled but after a few days its start to do the same. I searched on google and i saw that give no results. Maybe dont want to find an answer :slight_smile:… I have an WD hdd conected to rpi. I will take it out and scan it on windows computer.

I’m not sure how that’s gonna find Linux malware…

I think it would be interesting to figure out which of the packages you installed brought in that file.
Start by running which privnut1 and post the output. If that doesn’t find the file run find / -name "privnut*" and post the output.

@ActionA, yes i have a port forwarding in router.
@fzinken, i run the commands:
First one:
> osmc@osmc:~$ which privnut1


and second :
> osmc@osmc:~$ sudo find / -name “privnut*”
> /tmp/privnut1

In tmp folder i found one file with very long name and no extension (the one with name “1” because i had to rename it so cand copy it), 2 .sh files and another one which seems to be a trojan horse for linux.


I will try to archive 2 times the files.

You should never port forward 22! Either change to a non standard port or use port translation on your router to forward a non standard port from the outside to port 22 inside your lan. This is probably a good indication that you didn’t change the password either?

These are only the very minimum of many steps that should be taken before exposing a pi running any OS to the internet.

No,until now i didnt change the root pasword. I changed now the outside port from 22 to 30 and also the root password. Tomorrow i will install from scratch and i let it clean, without any addons added by me for tests. As i said, only thing installed by me was transmission from “my osmc” so its installed from trusted location.

You must also change the password of the osmc user!

“Osmc” user its not the same with “root” user? i changed for “osmc” user because i thinking was the only superuser. I didn`t know that there is also the user “root”.

There is, but not enabled by default. Ability to log in as root user must explicitly be enabled.

root doesn’t have a password assigned to it so even though it exists as a user account you can’t log on as root until you set a password for it. You shouldn’t actually need to do this though, i’ve used OSMC and Raspbmc before it and have never needed to directly log in as root.

As already said, if you expose your Pi to the outside world (Even if on an obscure port) then change the default ‘osmc’ password (I do this even though i don’t expose my systems to the outside world).

Can you send me the file so I can take a look at it?

How do you want to send you the file? I have all 4 files double archived. Totally ~55kb size.

Can you PM me a Dropbox link?

Could I get a copy too?
Eventually you could look under / if there is a .bash_history, and add that one too.
If not, add the .bash_history files of /root/.bash_history and /home/osmc/.bash_history users

That could hold the evidence on what the hacker who installed the rootkot/trojan did.

I will give you also the link. I change the sd card from rpi but i dind`t format it yet.