I am wondering if the version of Kodi from the PackMan repository for OpenSuse is infected with virus/malware.
http://packman.links2linux.org/package/kodi/797262
This is a well-respected and recommended repository for linux binaries on OpenSuse. It would be impractical to run any OpenSuse machine without this repository.
Or worse, the Kodi GIT source-code itself has been compromised.
I noticed yesterday after a system update that devices on my network were having trouble with network connectivity. I have a 30mbps downstream and 6mbps upstream connection.
The speedtest from those devices were showing full download bandwidth but interrupted upstream bandwidth.
I isolated it to the machine running Kodi in my network.
Running iftop on that machine showed connections out to all kinds of internet hosts. Stopping Kodi stopped these connections and the bandwidth came back to the other machines.
I thought perhaps there was a rogue add-on or a runway script. Removed all add-ons from the home directory .kodi/add-ons and the problem persisted.
So I deleted the entire kodi installation, and the .kodi directory and re-installed Kodi.
Starting Kodi came up with the default UI and built-in default screen, etc., but the outgoing connections and bandwidth saturation happened again right at the first run!
The log of this fresh first start is at
https://pastebin.com/DKeWdqhr
I have not enabled debug because I didn’t have any settings to change with a fresh run and did not want to keep running it with this suspicious behavior to change this setting from the UI.
Shutting down Kodi stops these connections to various IP addresses and some generic cloud hosting machines on the Internet.
Any ideas on what might be going on here? Can anyone with a fresh install see if such connections happen to them with any Kodi install?
Running clamav and Sophos anti-virus on the Kodi binary did not show any known infection in the binary.
PS: I also did a complete scan of that machine with both clamav and Sophos anti-virus. No infections found on the machine. Also did a rootkit check to ensure no rootkit infections existed.