[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Am I infected with a rootkit?


On 2023-04-16 15:08, Greg Wooledge wrote:

On Sun, Apr 16, 2023 at 02:19:34PM +0200, Jesper Dybdal wrote:

And there in the bash history were 4 lines that I had not written :-(

I would initially ask "who else lives with you"....
So would I - if I didn't know that the few people with physical access to my apartment, including my wife, haven't the faintest idea that there is a thing called "md5". 
I am certain that nobody had been in my apartment while I was gone. And even
if they had, nobody with a key to my apartment would dream of writing things
like the 4 lines that I found in the history file.

The 4 lines were:

md5users
sp md5users
sp /x/md5users
ps /x/md5users

There is no file named "md5users" or directory named "/x" or command named
"sp" on the Debian machine.

This certainly sounds like someone walking up to your machine and typing
the commands.  Did you see the commands within the PuTTY session, or were
they *only* in the shell history?
I saw them only in the shell history.  And I am pretty sure that I cannot have overlooked them if they were visible on the screen. 
* Is it probable that somebody can remote control one or both machines?  Do
those 4 lines ring a bell?  What are they all about?

If someone did this with remote access, it would have to be access to
the Windows machine.  Nothing that could be done to the Debian machine
would affect the in-memory shell history of a running instance of bash.
Even writing to the /root/.bash_history file wouldn't cause the PuTTY
session's bash to read those lines into its in-memory history.  At least,
not without a heavily altered bash history configuration.

(Have you altered root's bash history configuration on that Debian system?
If so, how?)

My .bashrc has:

export HISTCONTROL=ignoreboth
and that's all.  And your description of the default behaviour matches what I experience with bash. 

Those commands look like nonsense to me.  However, the fact that they're
evolving from line to line looks like someone was trying to "get it
right", and failing to do so.  Again, it looks like something that was
typed by an (ignorant) human.  However, I can't even guess what the
intent was.

I tried googling "ps /x/md5users" and even "md5users" and got no useful
results.  So, it doesn't look like a known malware worm.  Also, one would
think that a malware worm would simply issue the desired command the first
time, and not have to fumble around trying to type it correctly.


Exactly.  I don't understand it.
Of the two machines, the Debian has the most important data: mailboxes with mail archives for about 25 persons.  And just about all my data files (docs, source code, photos, ...) live there.
If the WIndows machine has a virus that can sniff my typed key decryption pass phrase and use it, then the Debian's root account may have been compromised.  And I really need to be able to run ssh to root to administer that machine (which normally has neither keyboard nor monitor).
And the Windows machine has access to the data files on the Debian machine.  So even if root is not compromised, the Windows machine can make problems by destroying/modifying data files.  I now back up the data files more frequently than I used to.
Thanks a lot to those who have answered.  And please keep the good ideas coming... 

Jesper

--
Jesper Dybdal
https://www.dybdal.dk
Reply to: