Tab (no exec) triggers script on Bash on grsec admin
Posted: Fri May 05, 2017 12:55 am
title: Tab (no exec) triggers script on Bash on grsec admin
(posting in a rush, the title may change yet)
---
This is also good for newbies, to see the great beneficial reporting that the
exec_logging feature of grsecurity does.
---
Pls. have a look at:
Strange script planted with Bash
https://www.croatiafidelis.hr/foss/cap/ ... ange-bash/
and see the syslog excerpt there:
https://www.croatiafidelis.hr/foss/cap/ ... 4_2155_g0n
Viewing the screencast:
https://www.croatiafidelis.hr/foss/cap/ ... 1_g0n.webm
it can clearly be seen that no command was issued in the terminal. That
script (or whatever that is) was activated upon merely typing:
and pressing Tab.
And it tries to change conf files like /etc/ssh/ssh_config...
rsync is not executed at all. Only bash, and only bash tab.
I can almost clearly see that this is foreign meddling into my
system.
There appear to be some interest on Gentoo User mailing list into this issue,
pls. see:
Inconsistent behavior in my Gentoo OS instance
https://lists.gt.net/gentoo/user/325985
If I don't post soon, I am likely building my system anew, and unavailable for
online.
I welcome if anyone has some explanation and/or advice in regard to this
tab-triggering-script-on-bash situation.
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
(posting in a rush, the title may change yet)
---
This is also good for newbies, to see the great beneficial reporting that the
exec_logging feature of grsecurity does.
---
Pls. have a look at:
Strange script planted with Bash
https://www.croatiafidelis.hr/foss/cap/ ... ange-bash/
and see the syslog excerpt there:
https://www.croatiafidelis.hr/foss/cap/ ... 4_2155_g0n
Viewing the screencast:
https://www.croatiafidelis.hr/foss/cap/ ... 1_g0n.webm
it can clearly be seen that no command was issued in the terminal. That
script (or whatever that is) was activated upon merely typing:
- Code: Select all
rsync -nav <some-dir>/<some-dir>/
and pressing Tab.
And it tries to change conf files like /etc/ssh/ssh_config...
rsync is not executed at all. Only bash, and only bash tab.
I can almost clearly see that this is foreign meddling into my
system.
There appear to be some interest on Gentoo User mailing list into this issue,
pls. see:
Inconsistent behavior in my Gentoo OS instance
https://lists.gt.net/gentoo/user/325985
If I don't post soon, I am likely building my system anew, and unavailable for
online.
I welcome if anyone has some explanation and/or advice in regard to this
tab-triggering-script-on-bash situation.
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)