On Sun, Apr 16, 2023 at 02:19:34PM +0200, Jesper Dybdal wrote: > The windows machine had an ssh connection to the Debian machine (using > PuTTY), logged in as root on the Debian machine. > I then went for a walk with the dog, leaving the ssh session running. > When I came back, I wanted to re-issue some command to the ssh session, so I > pressed up-arrow a few times. > > And there in the bash history were 4 lines that I had not written :-(
I would initially ask "who else lives with you".... > I am certain that nobody had been in my apartment while I was gone. And even > if they had, nobody with a key to my apartment would dream of writing things > like the 4 lines that I found in the history file. > > The 4 lines were: > > md5users > > sp md5users > > sp /x/md5users > > ps /x/md5users > There is no file named "md5users" or directory named "/x" or command named > "sp" on the Debian machine. This certainly sounds like someone walking up to your machine and typing the commands. Did you see the commands within the PuTTY session, or were they *only* in the shell history? > * Is it probable that somebody can remote control one or both machines? Do > those 4 lines ring a bell? What are they all about? If someone did this with remote access, it would have to be access to the Windows machine. Nothing that could be done to the Debian machine would affect the in-memory shell history of a running instance of bash. Even writing to the /root/.bash_history file wouldn't cause the PuTTY session's bash to read those lines into its in-memory history. At least, not without a heavily altered bash history configuration. (Have you altered root's bash history configuration on that Debian system? If so, how?) Those commands look like nonsense to me. However, the fact that they're evolving from line to line looks like someone was trying to "get it right", and failing to do so. Again, it looks like something that was typed by an (ignorant) human. However, I can't even guess what the intent was. I tried googling "ps /x/md5users" and even "md5users" and got no useful results. So, it doesn't look like a known malware worm. Also, one would think that a malware worm would simply issue the desired command the first time, and not have to fumble around trying to type it correctly.
