[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Am I infected with a rootkit?

On 2023-04-16 17:57, Greg Wooledge wrote:

On Sun, Apr 16, 2023 at 04:30:51PM +0200, Jesper Dybdal wrote:

My .bashrc has:

export HISTCONTROL=ignoreboth

and that's all.  And your description of the default behaviour matches what
I experience with bash.

There is simply no scenario where all of these things can be simultaneously
true.

Bash doesn't read the contents of the history file into the in-memory
history unless you run "history -r".  If you had some kind of ksh-like
setup where you combined "history -w" and "history -r" commands in your
PROMPT_COMMAND or other variables, then we might be able to reconcile
the statements we've been given.

In the absence of that, there's just no way you could have commands in
your shell history that were not typed in that same shell session.
Or somehow inserted into the PuTTY ssh client on the Windows machine to become part of the ssh session.  You've just about convinced me that that must be the situation.
I've just checked once more: the Windows machine does not have any remote control server (VNC or Remote Desktop) enabled.  If it had, it could have been an intrusion into the WiFi LAN.  So it's not that simple - unless there is some hidden remote control server functionality. 


The most stupidly paranoid, off-the-wall, tin-foil-hat scenario that I
can come up with, which holds all these statements true, is that someone
hacked into the Debian system as root, attached gdb (or some similar
program) to a running bash, and used this opportunity to modify your
shell's history.  Not to do anything.  Just to fuck with you.  To make
it LOOK like someone hacked you... and that the hacker was a halfwit.
*Too* paranoid. And it would make sense only if I discovered it - if I hadn't happened to use the history, I would never have seen anything strange. 
The other scenario that comes to mind is that you actually typed the
commands yourself, and forgot doing it.
Yes.  I certainly do not claim to always remember which commands I typed an hour earlier, so if those lines had been something that could remotely make sense to me, then I might well think I had done it myself.  But those 4 lines?  If I had somehow typed such a mess, I would remember it. 
   Maybe you have dissociative
identity disorder or something, who knows.

Who knows?  But if so, this is the first time it has shown symptoms.

The last scenario... is that one or more of the statements you've given
us are false.

Well - I happen to know that they're not.
Sometimes I almost think I must have dreamt it, but then I look at the 4 lines that I cut from the history file and saved.
Thanks for your help - you've made it clear that the problem originated from the Windows machine.
Though that doesn't quite rule out that damage could have been done to the Debian system at the same time, I think that in combination with the apparent clumsiness of those commands, I can almost trust that the Debian system is ok.
The question then remains: what to do with the Windows system before I dare run a root ssh session from that machine again?  Perhaps restore a backup, but from when? 

Thanks,
Jesper

--
Jesper Dybdal
https://www.dybdal.dk
Reply to: