Am I infected with a rootkit?
I have a Debian pc functioning as router, firewall, file server, name
server, webserver, ...
It has very recently been upgraded to Bullseye.
On the internal network I have a Windows 10 pc.
A few days after the Debian upgrade, I had the following strange experience:
The windows machine had an ssh connection to the Debian machine (using
PuTTY), logged in as root on the Debian machine.
I then went for a walk with the dog, leaving the ssh session running.
When I came back, I wanted to re-issue some command to the ssh session,
so I pressed up-arrow a few times.
And there in the bash history were 4 lines that I had not written :-(
I am certain that nobody had been in my apartment while I was gone. And
even if they had, nobody with a key to my apartment would dream of
writing things like the 4 lines that I found in the history file.
The 4 lines were:
md5users
sp md5users
sp /x/md5users
ps /x/md5users
There is no file named "md5users" or directory named "/x" or command
named "sp" on the Debian machine.
I have scanned the Windows machine with two antivirus tools (Windows
defender and Malwarebytes).
I have run chkrootkit, rkhunter, and debsums on the Debian machine.
That did not find anything.
All of the above except chkrootkit were done on the running system, so
they might be influenced by a rootkit.
I have done a more manual check of the files belonging to the kernel
package, in the hope that a rootkit will not find it easy to fool that.
There were 10 files in /lib/modules/5.10.0-21-amd64 that do not belong
in the current kernel package - I guess that they are leftovers from an
earlier version. These 10 files do not seem dangerous to me; they are:
modules.dep
modules.devname
modules.symbols.bin
modules.symbols
modules.builtin.bin
modules.alias.bin
modules.builtin.alias.bin
modules.softdep
modules.alias
modules.dep.bin
Since this happened a couple of weeks ago, there has been no visible
sign of anything wrong. I am taking care to mount backup disks only
when running from a booted rescue disk. And I have for the time being
removed the ability of the Windows machine to log in as root on the
Debian machine.
I've tried logging all DNS requests from the Windows machine during a
power-on sequence. I saw no clearly suspicious names among the
surprisingly many names being looked up.
What can I do?
* Is it probable that somebody can remote control one or both machines?
Do those 4 lines ring a bell? What are they all about?
* I would really like to know how this happened. I consider myself to
be a careful person who does not get hit by viruses and other malware.
I've had a Windows virus once - because I trusted an install program
from sourceforge.
* Is there a significant risk that the problem came with the Bullseye
upgrade?
* I really don't want to reinstall from scratch. Not only because I
don't know whether there is a problem on one or both machines, but also
because I have no idea where any infection came from - it could easily
be from something that I would also reinstall.
* I could restore a backup of one or both of the machines. But I have
no idea how long back I would have to go. I would not like to go back
to before the Bullseye upgrade, since I would then have to repeat that
upgrade - and it was not quite trouble-free.
* Is there a place where I could download the correct checksums of all
installed files? Some way to be able to run debsums from a booted
rescue disk, but checking the system on the hard disk against freshly
fetched checksums?
Any suggestions will be much appreciated.
Thanks,
Jesper
--
Jesper Dybdal
https://www.dybdal.dk
Reply to: