Page 1 of 1

Tab (no exec) triggers script on Bash on grsec admin

PostPosted: Fri May 05, 2017 12:55 am
by timbgo
title: Tab (no exec) triggers script on Bash on grsec admin
(posting in a rush, the title may change yet)
---
This is also good for newbies, to see the great beneficial reporting that the
exec_logging feature of grsecurity does.
---

Pls. have a look at:

Strange script planted with Bash
https://www.croatiafidelis.hr/foss/cap/ ... ange-bash/

and see the syslog excerpt there:
https://www.croatiafidelis.hr/foss/cap/ ... 4_2155_g0n

Viewing the screencast:
https://www.croatiafidelis.hr/foss/cap/ ... 1_g0n.webm

it can clearly be seen that no command was issued in the terminal. That
script (or whatever that is) was activated upon merely typing:

Code: Select all
rsync -nav <some-dir>/<some-dir>/

and pressing Tab.

And it tries to change conf files like /etc/ssh/ssh_config...

rsync is not executed at all. Only bash, and only bash tab.

I can almost clearly see that this is foreign meddling into my
system.

There appear to be some interest on Gentoo User mailing list into this issue,
pls. see:

Inconsistent behavior in my Gentoo OS instance
https://lists.gt.net/gentoo/user/325985

If I don't post soon, I am likely building my system anew, and unavailable for
online.

I welcome if anyone has some explanation and/or advice in regard to this
tab-triggering-script-on-bash situation.

---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)