brent saner via plug on 27 Dec 2022 12:05:28 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Possible Break in on Arch Linux Systems:


On Tue, Dec 27, 2022, 14:27 Michael Lazin via plug <plug@lists.phillylinux.org> wrote:
That is the gpg key for your package manager.  I don't think that should change.  Try installing rkhunter and running "rkhunter --scan" as root.  It will tell you if other files may have been modified.

Thanks,

Michael 


Let's not make assumptions and jump to potential compromise unless we're familiar with the respective distro's internals.
 

On Tue, Dec 27, 2022, 1:44 PM LeRoy Cressy via plug <plug@lists.phillylinux.org> wrote:
I do a daily backup which checks for any changes in /etc and other
directories that should not change unless you have done a backup.  On
Christmas Day someone or something changed the following files:

/etc/pacman.d/gnupg/pubring.gpg
/etc/pacman.d/gnupg/pubring.gpg~
/etc/pacman.d/gnupg/pubring.gpg.tmp
/etc/pacman.d/gnupg/trustdb.gpg

I rebuilt my repositories with pacman -Syy
I reinstalled archlinux-keyring

I am familiar with the shenanigans  of cups changing their /etc files
daily, but this is a first for me.

I'm posting this as a warning of a possible break-in on Arch Linux
systems.


LeRoy, this is normal and expected. I'm guessing you haven't done a full system update in a while?

$ systemctl cat archlinux-keyring-wkd-sync.timer
# /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer
[Unit]
Description=Refresh existing PGP keys of archlinux-keyring regularly

[Timer]
_OnCalendar_=weekly
Persistent=true
RandomizedDelaySec=1week

[Install]
WantedBy=timers.target
It is part of Arch Linux system internals (the archlinux-keyring package itself).

$ pacman -Ql archlinux-keyring | grep -E '\.timer'
archlinux-keyring /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer
archlinux-keyring /usr/lib/systemd/system/timers.target.wants/archlinux-keyring-wkd-sync.timer
 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug