Re: Am I infected with a rootkit?

To: debian-user@lists.debian.org
Subject: Re: Am I infected with a rootkit?
From: David Wright <deblis@lionunicorn.co.uk>
Date: Sun, 16 Apr 2023 09:33:07 -0500
Message-id: <[🔎] ZDwHIyOXBSVJpoiu@axis.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 8759d727-f80a-61af-ee6c-13d37a3ab2f1@dybdal.dk>
References: <[🔎] 8759d727-f80a-61af-ee6c-13d37a3ab2f1@dybdal.dk>

On Sun 16 Apr 2023 at 14:19:34 (+0200), Jesper Dybdal wrote:
> And there in the bash history were 4 lines that I had not written :-(
> 
> I am certain that nobody had been in my apartment while I was gone.
> And even if they had, nobody with a key to my apartment would dream of
> writing things like the 4 lines that I found in the history file.
> 
> The 4 lines were:
> > md5users
> > sp md5users
> > sp /x/md5users
> > ps /x/md5users
> There is no file named "md5users" or directory named "/x" or command
> named "sp" on the Debian machine.

Just FTR and clarity's sake, are the "> " characters (which my MUA has
unhelpfully doubled by quoting) part of what was typed in the putty
session, or did you type them into the post to make them stand out?

The reason I ask is that most people have their PS2 set to "> ",
suggesting that these might have been some sort of continuation—
of what, we don't know.

Cheers,
David.

Reply to:

Follow-Ups:
- Re: Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

References:
- Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

Prev by Date: Re: Am I infected with a rootkit?
Next by Date: Re: Apt sources.list
Previous by thread: Re: Am I infected with a rootkit?
Next by thread: Re: Am I infected with a rootkit?
Index(es):
- Date
- Thread