I monitor my devices with Debian's integrit file integrity monitoring program. Join me on an investigation (that I DEFINITELY want to be doing at 4 AM! *forced smile* ![:D]( "Very Happy")
)!
Usually, integrit's database only needs to be updated following upgrades via apt.
Today I noticed that integrit is reporting many changes for components that I don't remember updating. They include;
Okay, so nearly every binary and directory on my system that is tracked by integrit. And they're listed as "new:" instead of "changed:" which is also kind of strange.
The only changes I made through apt recently were for a yt-dlp backport and a python pillow security update.
Yes, I have been doing administrative things as root, including managing integrit itself. And I'm familiar that editing files in vim tiny as root causes things like /root/.less_hst to change.
I am surprised that ".sudo_as_admin_successful" didn't appear in the /root/ directory any earlier as I'd been using sudo to administrate many things... for years.
The fact that almost the entire system is showing up as "new:" leads me to suspect that I'd misskeyed something, or made a change affecting the integrit known.db or otherwise. Especially since the modification times accurately reflect when given programs would have last been touched (i.e. this system was installed as Bullseye so a lot of programs which went unchanged to Bookworm still show 2022 or 2023, as I would expect).
Let's take a look at rkhunter.log:
Okay... chrootkit.log
Interesting. I had removed ruby-gems some time ago. Ah, it seems ruby-dev and ruby3.1-dev are still installed. Time to purge them. Java only remains because LibreOffice apparently requires it. Otherwise that would also get ejected from my system.
I scanned some of the directories in question using clamscan -ir:
But that's unlikely that clamav would find anything tailored by a possible intruder.
This interesting entry for su activity:
What is "nobody"? I'm going to have to do some research.
I expected to see all of these... since I've had been provisioning some encrypted flash drives, and later investigating my system as described above.
Anyways, my paranoia has been piqued.
Well, what do you think? Time to nuke it from orbit?
Is there something else that could plausibly explain these changes, particularly surrounding ruby gems and java? (python I can attribute to yt-dlp)
)!Usually, integrit's database only needs to be updated following upgrades via apt.
Today I noticed that integrit is reporting many changes for components that I don't remember updating. They include;
Code:
/root/.selected_editor/root/.sudo_as_admin_successful/root/.local/share/gem/specs/index.rubygems.org%443/quick/Marshal.4.8/~/boot/grub/~/usr/libexec/~/usr/bin/~ (just about everything contained here)/usr/games/~/usr/lib/~/usr/sbin/~/usr/include/~The only changes I made through apt recently were for a yt-dlp backport and a python pillow security update.
Yes, I have been doing administrative things as root, including managing integrit itself. And I'm familiar that editing files in vim tiny as root causes things like /root/.less_hst to change.
I am surprised that ".sudo_as_admin_successful" didn't appear in the /root/ directory any earlier as I'd been using sudo to administrate many things... for years.
The fact that almost the entire system is showing up as "new:" leads me to suspect that I'd misskeyed something, or made a change affecting the integrit known.db or otherwise. Especially since the modification times accurately reflect when given programs would have last been touched (i.e. this system was installed as Bullseye so a lot of programs which went unchanged to Bookworm still show 2022 or 2023, as I would expect).
Let's take a look at rkhunter.log:
Code:
System checks summary ===================== File properties checks... Files checked: 146 Suspect files: 0 Rootkit checks... Rootkits checked : 477 Possible rootkits: 0Code:
WARNING: The following suspicious files and directories were found:/usr/lib/libreoffice/share/.registry/usr/lib/jvm/.java-1.17.0-openjdk-(redacted by Uptorn).jinfo/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscode/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.gitignore/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscodeignore/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierignore/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.eslintrc.js/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierrc/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/_static/.gitignore/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/.gitignore/usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep/usr/lib/python3/dist-packages/numpy/core/include/numpy/.doxyfile/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmapI scanned some of the directories in question using clamscan -ir:
Code:
Infected files: 0This interesting entry for su activity:
Code:
su: Sessions Opened: root -> nobody(uid=65534): 3 Time(s)I expected to see all of these... since I've had been provisioning some encrypted flash drives, and later investigating my system as described above.
Code:
Uptorn => root -------------- /usr/bin/apt - 1 Time(s). /usr/bin/chgrp - 1 Time(s). /usr/bin/chown - 2 Time(s). /usr/bin/cp - 3 Time(s). /usr/bin/pager - 6 Time(s). /usr/bin/rsync - 1 Time(s). /usr/bin/systemctl - 1 Time(s). /usr/sbin/chkrootkit - 1 Time(s). /usr/sbin/cryptsetup - 1 Time(s). /usr/sbin/integrit - 3 Time(s). /usr/sbin/logwatch - 1 Time(s). /usr/sbin/smartctl - 1 Time(s).Anyways, my paranoia has been piqued.
Well, what do you think? Time to nuke it from orbit?
Is there something else that could plausibly explain these changes, particularly surrounding ruby gems and java? (python I can attribute to yt-dlp)
Statistics: Posted by Uptorn — 2024-06-09 04:04 — Replies 3 — Views 85