Re: Am I infected with a rootkit?
On Sun 16 Apr 2023 at 16:39:13 (+0200), Jesper Dybdal wrote:
> On 2023-04-16 16:33, David Wright wrote:
> > On Sun 16 Apr 2023 at 14:19:34 (+0200), Jesper Dybdal wrote:
> > > The 4 lines were:
> > > > md5users
> > > > sp md5users
> > > > sp /x/md5users
> > > > ps /x/md5users
> > >
> > Just FTR and clarity's sake, are the "> " characters (which my MUA has
> > unhelpfully doubled by quoting) part of what was typed in the putty
> > session, or did you type them into the post to make them stand out?
> They were not part of what was typed, and I did add them to make the
> lines stand out. Sorry for the unclear text.
>
> Here is a correct and clear, I hope, version:
>
> ---------------- The 4 lines were:
> md5users
> sp md5users
> sp /x/md5users
> ps /x/md5users
> ---------------- End of the 4 lines
OK, you wrote that you "pressed up-arrow a few times. And there in the
bash history were 4 lines …". If those 4 lines were not the first
things to appear when you pressed up-arrow, then I would assume that
the commands you typed /just/ before you went out with the dog were
the first lines to appear, and then your 4 lines after more up-arrows.
If that's the case, then your 4 lines could have been typed
in a previous login as root, and that could have been some time
ago. They would have been languishing at the end of the file
/root/.bash_history before you logged in as root this time.
There is an option to timestamp entries in the history file. I've
never used it, nor heard of its being used. That might disambiguate
things if you ever suspect it might happen again.
Cheers,
David.
Reply to: