Re: Am I paranoid?
On 25/02/14 16:16, Reco wrote:
> Hi.
>
> On Tue, 25 Feb 2014 11:07:23 +1100
> Scott Ferguson <scott.ferguson.debian.user@gmail.com> wrote:
>
>> Am I missing part of the thread?
>
> Probably no, as you've replied in it:
>
> https://lists.debian.org/debian-user/2014/02/msg01346.html
>
>
>> Where did the OP check to see if
>> open-vm-tools and open-vm-toolbox *were* installed. I see where to OP
>> tried looking for a filename using a command that expects a package name...
>
> This:
>
>> dpkg --search /usr/bin/vmtoolsd
>> dpkg-query: no path found matching pattern /usr/bin/vmtoolsd
>
> equals to 'no package owns /usr/bin/vmtoolsd'.
> 'open-vm-tools' package owns /usr/bin/vmtoolsd file.
>
> If open-vm-tools is installed - 'dpkg -S' would find it.
>
>
> Reco
>
>
Please note the difference between *are/is* installed, and *were* installed.
I would expect dpkg -S to fail if those packages had been wrongly
removed (corrupting dpkg database) but the pam and man files are
extremely unlikely to be the result of malware. The OP never responded
to my query about the other files that would have been installed - or
checked the installation history with dpkg --get-selections (it won't
show if purge was run, but then, those files would likely not be left).
It is possible[*1] vmtoolsd is a trojan - though that scenario means the
rest of it's expected files would likely be there (and dpkg -S would
find it) - an md5sum is a simple way to check.
Simply re-installing a system because some one "suspects" a security
breach - will zero evidence to support the suspicion, is not a good
idea. By all mean re-install from a known clean source - but first check
to see if the installation was legitimate (check package selections
status), check "suspect" file/s. Otherwise it confirms nothing and do
even less to help detect and defend against real malware.
Always test when security is in doubt - but it's probably not a good
idea to rule out user error.
[*1] the first reported case.
Kind regards
Reply to: