Re: Am I infected with a rootkit?

[Jesper Dybdal <jd-debian-user@dybdal.dk>]

On 2023-04-16 14:59, Michel Verdier wrote:
> Le 16 avril 2023 Jesper Dybdal a écrit :
>
> > I have scanned the Windows machine with two antivirus tools (Windows defender
> > and Malwarebytes).
> Can you use clamav on windows ?
I hadn't thought of that. I'll check.
> > > modules.dep
> > > modules.devname
> > > modules.symbols.bin
> > > modules.symbols
> > > modules.builtin.bin
> > > modules.alias.bin
> > > modules.builtin.alias.bin
> > > modules.softdep
> > > modules.alias
> > > modules.dep.bin
> These are generated during kernel install. And you can safely remove
> /lib/modules/5.10.0-21-amd64 if these are the only files left.
They are the only files on my harddisk that are not part of the .deb 
file for the kernel.  There are lots of other files, but they match.
> > * Is it probable that somebody can remote control one or both machines?  Do
> >   those 4 lines ring a bell?  What are they all about?
> Perhaps a bot trying to execute some commands. As they do not apply to
> debian you debian machine should not be compromised.
Unless the malware on the windows machine is smart enough to use my 
secret key and decrypt it with a password retrieved from a key logger ...
> Malware can be installed via web sites
I tend to stay away from doubtful websites - but you are of course right.
> * Is there a significant risk that the problem came with the Bullseye 
> upgrade?
> no
>
> > * I really don't want to reinstall from scratch.  Not only because I don't
> >   know whether there is a problem on one or both machines, but also because I
> > have no idea where any infection came from - it could easily be from something
> > that I would also reinstall.
> I think you don't have to. For debian. For windows a full deinstall
> without reinstall is the best :)
In the long term, now that I'm retired, I hope to drop Windows 
completely - but not quite today :-).

Thanks,
Jesper

--
Jesper Dybdal
https://www.dybdal.dk