Re: Am I infected with a rootkit?

To: debian-user@lists.debian.org
Subject: Re: Am I infected with a rootkit?
From: David Christensen <dpchrist@holgerdanske.com>
Date: Tue, 18 Apr 2023 12:35:20 -0700
Message-id: <[🔎] 1fbdb63d-cf10-3419-21c0-867b13c5dc1f@holgerdanske.com>
In-reply-to: <[🔎] 87ba152d-bcf1-b859-e5e3-11483eac54c1@dybdal.dk>
References: <[🔎] 8759d727-f80a-61af-ee6c-13d37a3ab2f1@dybdal.dk> <[🔎] 06e09fb0-1207-d82b-2752-dd84f1a5b088@kalinowski.com.br> <[🔎] 87ba152d-bcf1-b859-e5e3-11483eac54c1@dybdal.dk>

On 4/18/23 06:43, Jesper Dybdal wrote:

On 2023-04-16 14:19, I wrote:
...
And there in the bash history were 4 lines that I had not written :-(
To summarize:
* Greg has convincingly argued that there is no way for the runningshell to get those lines into its history, other than by issuing themover the ssh connection.
* We can therefore assume that the problem originated at the Windowsmachine (the ssh client).
* It seems that an intruder has had control over the Windows machine,including the ssh session, and thus, at least in principle, could havedone harm also to the Linux machine.
* There is, however, no sign of an infection of the Linux machine. Andthe 4 lines do not suggest that whoever issued them knows what he's doing.
* So I am going to assume that the Linux machine is ok.
* The Windows machine could be infected with something that allowsremote control.
* So I should probably reinstall the Windows machine from scratch - orperhaps restore a really old backup (I have one from July 2022, one from2020, and one taken shortly after the original install in 2016).
Many thanks to everybody who answered!
Jesper

I do not believe the analysis is complete -- I never saw an answer tothe following question (?); it is important:


On 4/17/23 21:42, David Wright wrote:
> OK, you wrote that you "pressed up-arrow a few times. And there in the
> bash history were 4 lines …". If those 4 lines were not the first
> things to appear when you pressed up-arrow, then I would assume that
> the commands you typed/just/  before you went out with the dog were
> the first lines to appear, and then your 4 lines after more up-arrows.
>
> If that's the case, then your 4 lines could have been typed
> in a previous login as root, and that could have been some time
> ago. They would have been languishing at the end of the file
> /root/.bash_history before you logged in as root this time.

Where the four commands in questions the very last commands entered intoPutty, or were they prior? If the latter, how far back? Same session?Same day? A day ago? Week? Month?



David

Reply to:

Follow-Ups:
- Re: Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

References:
- Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>
- Re: Am I infected with a rootkit?
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: Am I infected with a rootkit?
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

Prev by Date: Re: /etc/fstab question (problem)?
Next by Date: Re: /etc/fstab question (problem)?
Previous by thread: Re: Am I infected with a rootkit?
Next by thread: Re: Am I infected with a rootkit?
Index(es):
- Date
- Thread