Thanks for replying On 25/02/14 17:10, Reco wrote: > Hi. > > On Tue, 25 Feb 2014 16:48:37 +1100 > Scott Ferguson <scott.ferguson.debian.u...@gmail.com> wrote: > >> Please note the difference between *are/is* installed, and *were* installed. > > There's a difference, indeed. > > >> I would expect dpkg -S to fail if those packages had been wrongly >> removed (corrupting dpkg database) but the pam and man files are >> extremely unlikely to be the result of malware. The OP never responded >> to my query about the other files that would have been installed - or >> checked the installation history with dpkg --get-selections (it won't >> show if purge was run, but then, those files would likely not be left). > > My guess is that this situation is the result of invoking: > dpkg -X *deb / > > or, simply unpacking a tarball into /. > But your guess is as good as mine.
Maybe, certainly my guesses as to the cause are similar... the tarball'd be tricky (debsums). > > What I cannot understand is how exactly removing a package would fix > this issue if both apt and dpkg claim that the package is not installed. *If* the package was legitimately installed - then it's removal would ease Ha's concern. Though without understanding how it happened it's no less likely to happen again. I haven't seen the result of checking the selections with dpkg. There are a couple of scenarios where the user/operator can damage the dpkg database - I'm not familiar with all of them. > > >> It is possible[*1] vmtoolsd is a trojan - though that scenario means the >> rest of it's expected files would likely be there (and dpkg -S would >> find it) - an md5sum is a simple way to check. > > If you browse this part of thread up, you'll see that OP did checked > the root filesystem with debsums, and debsums haven't found anything. > Therefore I agree that it's unlikely that vmtoolsd is a malware. > > >> Simply re-installing a system because some one "suspects" a security >> breach - will zero evidence to support the suspicion, is not a good >> idea. > > Agreed. That's why I wrote earlier that no reinstall is necessary. Unfortunately the OP's editing combined with my free time limitations mean I'm not sure who said what - so that comment wasn't aimed at any particular participant in the thread. It's a convoluted thread and at present there's still three recent posts I haven't read. > > >> By all mean re-install from a known clean source - but first check >> to see if the installation was legitimate (check package selections >> status), check "suspect" file/s. Otherwise it confirms nothing and do >> even less to help detect and defend against real malware. >> >> Always test when security is in doubt - but it's probably not a good >> idea to rule out user error. > > Yet, there is another thing - OP claims that he didn't install anything > like this. I'd hate to hold anyone responsible for their memory - AFAIK no one can remember what they don't remember (this is why we take notes and run script) - I can only assume their memory is complete. With other areas a guess/"instinct" may be good enough - with security I prefer proof. Even if they didn't specifically install open-vm-tools it could well have been a dependency > > Reco > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/530c4542.6070...@gmail.com
