Re: Am I infected with a rootkit?
On Sun, Apr 16, 2023 at 04:30:51PM +0200, Jesper Dybdal wrote:
> On 2023-04-16 15:08, Greg Wooledge wrote:
> > (Have you altered root's bash history configuration on that Debian system?
> > If so, how?)
> My .bashrc has:
> > export HISTCONTROL=ignoreboth
>
> and that's all. And your description of the default behaviour matches what
> I experience with bash.
There is simply no scenario where all of these things can be simultaneously
true.
Bash doesn't read the contents of the history file into the in-memory
history unless you run "history -r". If you had some kind of ksh-like
setup where you combined "history -w" and "history -r" commands in your
PROMPT_COMMAND or other variables, then we might be able to reconcile
the statements we've been given.
In the absence of that, there's just no way you could have commands in
your shell history that were not typed in that same shell session.
The most stupidly paranoid, off-the-wall, tin-foil-hat scenario that I
can come up with, which holds all these statements true, is that someone
hacked into the Debian system as root, attached gdb (or some similar
program) to a running bash, and used this opportunity to modify your
shell's history. Not to do anything. Just to fuck with you. To make
it LOOK like someone hacked you... and that the hacker was a halfwit.
The other scenario that comes to mind is that you actually typed the
commands yourself, and forgot doing it. Maybe you have dissociative
identity disorder or something, who knows.
The last scenario... is that one or more of the statements you've given
us are false.
Reply to: