Re: Am I infected with a rootkit?

To: debian-user@lists.debian.org
Subject: Re: Am I infected with a rootkit?
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Sun, 16 Apr 2023 19:35:20 +0200
Message-id: <[🔎] 2876627846934899781@scdbackup.webframe.org>
In-reply-to: <[🔎] ZDwazWRrNmTi58++@wooledge.org>
References: <[🔎] ZDwazWRrNmTi58++@wooledge.org>

Hi,

to make this mail on-topic:

Jesper Dybdal, do you see the riddling lines in file ~/.bash_history
of the superuser ?
If so: Do you see other strange lines there ? (Do they give more clue ?)

A bit less on-topic:

Greg Wooledge wrote:
> Bash doesn't read the contents of the history file into the in-memory
> history unless you run "history -r".  If you had some kind of ksh-like
> setup where you combined "history -w" and "history -r" commands in your
> PROMPT_COMMAND or other variables, then we might be able to reconcile
> the statements we've been given.
>
> In the absence of that, there's just no way you could have commands in
> your shell history that were not typed in that same shell session.

My Debians always behaved that way. I remember that in Debian 8 i got
several different readline histories in the first shell terminals which
i started. With Debian 11 it's only one history per user. It seems to be
a collection of the last commands of shell sessions when the recent
shutdowns happened.
For example i create a new xterm and get to see (from new to old):

  su -
  firefox-esr &
  top
  ps -ef | grep pulseaudio
  umgebung
  view /u/x
  su -
  firefox-esr &
  xset r rate 250 30

In man bash i read:

   When the -o history option to the set builtin  is  enabled,  the  shell
   provides access to the command history, [...]
   On startup, the history is initialized from the file named by the vari‐
   able HISTFILE (default ~/.bash_history).
   [...]
   set [--abefhkmnptuvxBCEHPT] [-o option-name] [arg ...]
   [...]
   -o option-name
     The option-name can be one of the following:
     [...]
      history Enable command history, as described above under
              HISTORY.  This option is on by default in inter‐
              active shells.

At the end of ~/.bash_history of my desktop user i see indeed above
history in old-to-new sequence:

  xset r rate 250 30
  firefox-esr &
  su -
  view /u/x
  umgebung
  ps -ef | grep pulseaudio
  top
  firefox-esr &
  su -

I did not execute them in this sequence in the recent sessions when i tried
to find out what made pulseaudio permenantly busy. They surely stem from
different xterms. It is not clear whether one per shutdown was memorized
or whether more then one stem from a single shutdown.

I become superuser by "su -" and get to see

  shutdown -h now
  shutdown -r now
  systemctl --global disable pulseaudio.service pulseaudio.socket
  shutdown -r now
  shutdown -h now
  shutdown -r now
  systemctl --global enable pulseaudio.service pulseaudio.socket
  shutdown -h now

Since i only had one superuser xterm, i can quite surely state that the
systemctl commands were not the last ones which were performed in their
respective shells before shutdown.

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: Am I infected with a rootkit?
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

References:
- Re: Am I infected with a rootkit?
  - From: Greg Wooledge <greg@wooledge.org>

Prev by Date: Re: Am I infected with a rootkit?
Next by Date: Re: Email submission.
Previous by thread: Re: Am I infected with a rootkit?
Next by thread: Re: Am I infected with a rootkit?
Index(es):
- Date
- Thread