Re: Am I paranoid?
Hi.
On Tue, 25 Feb 2014 16:48:37 +1100
Scott Ferguson <scott.ferguson.debian.user@gmail.com> wrote:
> Please note the difference between *are/is* installed, and *were* installed.
There's a difference, indeed.
> I would expect dpkg -S to fail if those packages had been wrongly
> removed (corrupting dpkg database) but the pam and man files are
> extremely unlikely to be the result of malware. The OP never responded
> to my query about the other files that would have been installed - or
> checked the installation history with dpkg --get-selections (it won't
> show if purge was run, but then, those files would likely not be left).
My guess is that this situation is the result of invoking:
dpkg -X *deb /
or, simply unpacking a tarball into /.
But your guess is as good as mine.
What I cannot understand is how exactly removing a package would fix
this issue if both apt and dpkg claim that the package is not installed.
> It is possible[*1] vmtoolsd is a trojan - though that scenario means the
> rest of it's expected files would likely be there (and dpkg -S would
> find it) - an md5sum is a simple way to check.
If you browse this part of thread up, you'll see that OP did checked
the root filesystem with debsums, and debsums haven't found anything.
Therefore I agree that it's unlikely that vmtoolsd is a malware.
> Simply re-installing a system because some one "suspects" a security
> breach - will zero evidence to support the suspicion, is not a good
> idea.
Agreed. That's why I wrote earlier that no reinstall is necessary.
> By all mean re-install from a known clean source - but first check
> to see if the installation was legitimate (check package selections
> status), check "suspect" file/s. Otherwise it confirms nothing and do
> even less to help detect and defend against real malware.
>
> Always test when security is in doubt - but it's probably not a good
> idea to rule out user error.
Yet, there is another thing - OP claims that he didn't install anything
like this.
Reco
Reply to: