Re: Am I infected with a rootkit?

To: debian-user@lists.debian.org
Subject: Re: Am I infected with a rootkit?
From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
Date: Sun, 16 Apr 2023 09:40:44 -0300
Message-id: <[🔎] 06e09fb0-1207-d82b-2752-dd84f1a5b088@kalinowski.com.br>
In-reply-to: <[🔎] 8759d727-f80a-61af-ee6c-13d37a3ab2f1@dybdal.dk>
References: <[🔎] 8759d727-f80a-61af-ee6c-13d37a3ab2f1@dybdal.dk>

On 16/04/2023 09:19, Jesper Dybdal wrote:

And there in the bash history were 4 lines that I had not written :-(
I am certain that nobody had been in my apartment while I was gone. Andeven if they had, nobody with a key to my apartment would dream ofwriting things like the 4 lines that I found in the history file.
The 4 lines were:
md5users
sp md5users
sp /x/md5users
ps /x/md5users
There is no file named "md5users" or directory named "/x" or commandnamed "sp" on the Debian machine.

Which shell do you use, and how is it configured? Note that bash bydefault does not share history between sessions, so even if someonelogged in as root (via other ssh session) and typed them, they would notappear in your ssh session.

See https://mywiki.wooledge.org/BashFAQ/088, or wait for Greg to chimein with details and corrections.



--
Eduardo M KALINOWSKI
eduardo@kalinowski.com.br

Reply to:

Follow-Ups:
- Re: Am I infected with a rootkit?
  - From: Michel Verdier <mv524@free.fr>
- Re: Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>
- Re: Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

References:
- Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

Prev by Date: Am I infected with a rootkit?
Next by Date: Re: Apt sources.list
Previous by thread: Am I infected with a rootkit?
Next by thread: Re: Am I infected with a rootkit?
Index(es):
- Date
- Thread