Re: Am I paranoid?
Thanks for replying
On 25/02/14 17:10, Reco wrote:
> Hi.
>
> On Tue, 25 Feb 2014 16:48:37 +1100
> Scott Ferguson <scott.ferguson.debian.user@gmail.com> wrote:
>
>> Please note the difference between *are/is* installed, and *were* installed.
>
> There's a difference, indeed.
>
>
>> I would expect dpkg -S to fail if those packages had been wrongly
>> removed (corrupting dpkg database) but the pam and man files are
>> extremely unlikely to be the result of malware. The OP never responded
>> to my query about the other files that would have been installed - or
>> checked the installation history with dpkg --get-selections (it won't
>> show if purge was run, but then, those files would likely not be left).
>
> My guess is that this situation is the result of invoking:
> dpkg -X *deb /
>
> or, simply unpacking a tarball into /.
> But your guess is as good as mine.
Maybe, certainly my guesses as to the cause are similar... the tarball'd
be tricky (debsums).
>
> What I cannot understand is how exactly removing a package would fix
> this issue if both apt and dpkg claim that the package is not installed.
*If* the package was legitimately installed - then it's removal would
ease Ha's concern. Though without understanding how it happened it's no
less likely to happen again.
I haven't seen the result of checking the selections with dpkg. There
are a couple of scenarios where the user/operator can damage the dpkg
database - I'm not familiar with all of them.
>
>
>> It is possible[*1] vmtoolsd is a trojan - though that scenario means the
>> rest of it's expected files would likely be there (and dpkg -S would
>> find it) - an md5sum is a simple way to check.
>
> If you browse this part of thread up, you'll see that OP did checked
> the root filesystem with debsums, and debsums haven't found anything.
> Therefore I agree that it's unlikely that vmtoolsd is a malware.
>
>
>> Simply re-installing a system because some one "suspects" a security
>> breach - will zero evidence to support the suspicion, is not a good
>> idea.
>
> Agreed. That's why I wrote earlier that no reinstall is necessary.
Unfortunately the OP's editing combined with my free time limitations
mean I'm not sure who said what - so that comment wasn't aimed at any
particular participant in the thread. It's a convoluted thread and at
present there's still three recent posts I haven't read.
>
>
>> By all mean re-install from a known clean source - but first check
>> to see if the installation was legitimate (check package selections
>> status), check "suspect" file/s. Otherwise it confirms nothing and do
>> even less to help detect and defend against real malware.
>>
>> Always test when security is in doubt - but it's probably not a good
>> idea to rule out user error.
>
> Yet, there is another thing - OP claims that he didn't install anything
> like this.
I'd hate to hold anyone responsible for their memory - AFAIK no one can
remember what they don't remember (this is why we take notes and run
script) - I can only assume their memory is complete. With other areas a
guess/"instinct" may be good enough - with security I prefer proof.
Even if they didn't specifically install open-vm-tools it could well
have been a dependency
>
> Reco
>
>
Reply to: