Re: Am I paranoid?
Hi.
On Mon, 24 Feb 2014 16:24:19 +0100
ha <hiei.arhiva@gmail.com> wrote:
> Hi!
>
> > Try to find that file. ( run something like "find / -name vmtoolsd" )
> >
>
> I did. It only shows that files are there:
> /etc/pam.d/vmtoolsd
> /usr/bin/vmtoolsd
<…>
> echo $PATH
> does not shows my home directory
>
> I did not installed anything from source.
To answer your question - yes, you're right being paranoid.
In Debian, software doesn't install by itself, installing a
software requires human intervention. You didn't do it = someone else
did it.
Whenever virtualization can be used to gain a backdoor is irrelevant
here, what's relevant is that someone has a root privileges on your
host already.
Now, whenever these privileges were carelessly used to install vmtoolsd
Slackware-style (i.e. not using apt or deb), or these privileges were
used to do something more (say, replacing sshd with its' keylogged
version) - that's really interesting.
I suggest you to:
1) Reboot the system using the good-known LiveCD. That's really
important as you cannot trust the integrity of the OS on this host.
2) Mount host's / filesystem and /var filesystem somewhere ('/mnt' will
do).
3) Run
debsums -ac -r /mnt
4) If, and only if debsums won't report anything unusual - purge
vmtoolsd, cleanup anything in /usr/local, change root password,
remove any ssh public keys from /root/.ssh/authorized_keys, reboot to
normal.
5) If debsums show any file replacements
(especially /usr/sbin/sshd, /bin/bash, etc) - reinstall the OS from the
scratch.
Reco
Reply to: