Filing this is an extreme long shot, but I’m stumped.
Running OSMC June 2020 2020.06-1 on a Vero4K, this is the current version of the openssh-server
package:
$ apt-cache show openssh-server | head -n3
Package: openssh-server
Source: openssh
Version: 1:7.4p1-10+deb9u7
Something on the system, about every 30 minutes, is suddenly changing the sshd
binary to OpenSSH_8.2p2 p1
.
I’m hoping someone can help identify what is doing this.
I have a script that continually monitors the OpenSSH version, as well as changes in the system process tree:
#!/bin/bash
LAST_PROCESS_TREE=""
while true
do
VERSION=$(/usr/sbin/sshd -d 2>&1 | head -n1)
PROCESS_TREE=$(ps axjf | grep -v "ps axjf" | grep -v "$0")
echo "$(date) : $VERSION"
if [[ -n "$LAST_PROCESS_TREE" ]]
then
diff -up <(echo -e "$LAST_PROCESS_TREE") <(echo -e "$PROCESS_TREE")
else
echo -e "$PROCESS_TREE"
fi
LAST_PROCESS_TREE=$PROCESS_TREE
if [[ "$VERSION" =~ 'OpenSSH_8.2' ]]
then
exit 0
fi
sleep .01s
done
I have tried to eliminate all processes in userspace that I think might be doing this, including:
- Completely disabling my Internet connection.
- Stopping
mediacenter.service
- Stopping
docker.service
- Stopping
cron.service
But it’s still happening.
Here’s the relevant part of the script’s output from my latest run:
Sun Aug 30 18:34:33 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
--- /dev/fd/63 2020-08-30 18:34:34.166660023 -0400
+++ /dev/fd/62 2020-08-30 18:34:34.166660023 -0400
@@ -192,3 +192,7 @@
12331 12332 12332 12332 pts/1 12453 Ss 1000 0:00 \_ -bash
12332 12453 12453 12332 pts/1 12453 S+ 1000 0:00 \_ tmux -2 attach-session
1 29580 29580 29580 ? -1 Ss 0 0:00 /usr/sbin/sshd -D
+ 1 5098 468 468 ? -1 S 0 0:00 /bin/bash /usr/sbin/ptty
+ 5098 5105 468 468 ? -1 S 0 0:00 \_ /bin/bash /usr/sbin/ptty
+ 5105 5106 468 468 ? -1 R 0 0:00 \_ w
+ 5105 5107 468 468 ? -1 S 0 0:00 \_ tail -n+1
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
--- /dev/fd/63 2020-08-30 18:34:34.256661703 -0400
+++ /dev/fd/62 2020-08-30 18:34:34.256661703 -0400
@@ -192,7 +192,4 @@
12331 12332 12332 12332 pts/1 12453 Ss 1000 0:00 \_ -bash
12332 12453 12453 12332 pts/1 12453 S+ 1000 0:00 \_ tmux -2 attach-session
1 29580 29580 29580 ? -1 Ss 0 0:00 /usr/sbin/sshd -D
- 1 5098 468 468 ? -1 S 0 0:00 /bin/bash /usr/sbin/ptty
- 5098 5105 468 468 ? -1 S 0 0:00 \_ /bin/bash /usr/sbin/ptty
- 5105 5106 468 468 ? -1 R 0 0:00 \_ w
- 5105 5107 468 468 ? -1 S 0 0:00 \_ tail -n+1
+ 1 5128 468 468 ? -1 S 0 0:00 /bin/bash //tmp/.kworker
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
--- /dev/fd/63 2020-08-30 18:34:34.336663195 -0400
+++ /dev/fd/62 2020-08-30 18:34:34.336663195 -0400
@@ -193,3 +193,5 @@
12332 12453 12453 12332 pts/1 12453 S+ 1000 0:00 \_ tmux -2 attach-session
1 29580 29580 29580 ? -1 Ss 0 0:00 /usr/sbin/sshd -D
1 5128 468 468 ? -1 S 0 0:00 /bin/bash //tmp/.kworker
+ 5128 5139 468 468 ? -1 S 0 0:00 \_ /bin/bash //tmp/.kworker
+ 5139 5140 468 468 ? -1 R 0 0:00 \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
--- /dev/fd/63 2020-08-30 18:34:34.596668046 -0400
+++ /dev/fd/62 2020-08-30 18:34:34.596668046 -0400
@@ -193,5 +193,4 @@
12332 12453 12453 12332 pts/1 12453 S+ 1000 0:00 \_ tmux -2 attach-session
1 29580 29580 29580 ? -1 Ss 0 0:00 /usr/sbin/sshd -D
1 5128 468 468 ? -1 S 0 0:00 /bin/bash //tmp/.kworker
- 5128 5139 468 468 ? -1 S 0 0:00 \_ /bin/bash //tmp/.kworker
- 5139 5140 468 468 ? -1 R 0 0:00 \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
+ 5128 5177 468 468 ? -1 R 0 0:00 \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u 20 Dec 2019
--- /dev/fd/63 2020-08-30 18:34:34.866673084 -0400
+++ /dev/fd/62 2020-08-30 18:34:34.866673084 -0400
@@ -193,4 +193,3 @@
12332 12453 12453 12332 pts/1 12453 S+ 1000 0:00 \_ tmux -2 attach-session
1 29580 29580 29580 ? -1 Ss 0 0:00 /usr/sbin/sshd -D
1 5128 468 468 ? -1 S 0 0:00 /bin/bash //tmp/.kworker
- 5128 5177 468 468 ? -1 R 0 0:00 \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_8.2p2 p1
--- /dev/fd/63 2020-08-30 18:34:35.006675696 -0400
+++ /dev/fd/62 2020-08-30 18:34:35.016675882 -0400
@@ -193,3 +193,4 @@
12332 12453 12453 12332 pts/1 12453 S+ 1000 0:00 \_ tmux -2 attach-session
1 29580 29580 29580 ? -1 Ss 0 0:00 /usr/sbin/sshd -D
1 5128 468 468 ? -1 S 0 0:00 /bin/bash //tmp/.kworker
+ 5128 5256 468 468 ? -1 R 0 0:00 \_ mount -o remount,rw /
You can see at the end the OpenSSH version suddenly changes from “7.4” to “8.2p2 p1”.
In every test, at the moment of the OpenSSH version change, I see at the same time in the process log that systemd itself (pid 1) appears to create the /bin/bash //tmp/.kworker
process, which spawns the child processes mount -o remount,rw
and /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
.
Somehow, whatever this is, it’s replacing the /usr/sbin/sshd
binary. And I’m trying to get it to stop.