Re: Am I paranoid?
Hi.
On Tue, 25 Feb 2014 18:24:50 +1100
Scott Ferguson <scott.ferguson.debian.user@gmail.com> wrote:
> > My guess is that this situation is the result of invoking:
> > dpkg -X *deb /
> >
> > or, simply unpacking a tarball into /.
> > But your guess is as good as mine.
>
> Maybe, certainly my guesses as to the cause are similar... the tarball'd
> be tricky (debsums).
No, of course not. debsums only checks files which belong to an
installed package. Such 'orphan' files are invisible to debsums,
regardless of the way they landed into filesystem.
> > What I cannot understand is how exactly removing a package would fix
> > this issue if both apt and dpkg claim that the package is not installed.
>
> *If* the package was legitimately installed - then it's removal would
> ease Ha's concern. Though without understanding how it happened it's no
> less likely to happen again.
>
> I haven't seen the result of checking the selections with dpkg. There
> are a couple of scenarios where the user/operator can damage the dpkg
> database - I'm not familiar with all of them.
Possible scenario, yes. Still, installing and deinstalling a package -
I see how it could work. Simply deinstalling non-installed package seems
like 'magic'.
> >> It is possible[*1] vmtoolsd is a trojan - though that scenario means the
> >> rest of it's expected files would likely be there (and dpkg -S would
> >> find it) - an md5sum is a simple way to check.
> >
> > If you browse this part of thread up, you'll see that OP did checked
> > the root filesystem with debsums, and debsums haven't found anything.
> > Therefore I agree that it's unlikely that vmtoolsd is a malware.
> >
> >
> >> Simply re-installing a system because some one "suspects" a security
> >> breach - will zero evidence to support the suspicion, is not a good
> >> idea.
> >
> > Agreed. That's why I wrote earlier that no reinstall is necessary.
>
> Unfortunately the OP's editing combined with my free time limitations
> mean I'm not sure who said what - so that comment wasn't aimed at any
> particular participant in the thread. It's a convoluted thread and at
> present there's still three recent posts I haven't read.
Ok, no harm done to anyone, if you ask me. I wrote this part to merely
clarify things.
> >> By all mean re-install from a known clean source - but first check
> >> to see if the installation was legitimate (check package selections
> >> status), check "suspect" file/s. Otherwise it confirms nothing and do
> >> even less to help detect and defend against real malware.
> >>
> >> Always test when security is in doubt - but it's probably not a good
> >> idea to rule out user error.
> >
> > Yet, there is another thing - OP claims that he didn't install anything
> > like this.
>
> I'd hate to hold anyone responsible for their memory - AFAIK no one can
> remember what they don't remember (this is why we take notes and run
> script) - I can only assume their memory is complete. With other areas a
> guess/"instinct" may be good enough - with security I prefer proof.
> Even if they didn't specifically install open-vm-tools it could well
> have been a dependency
True. But, reading other parts of the thread, now I blame multiple
reinstalls of Debian over the same partition.
Reco
Reply to: