| Rich Mingin (PLUG) via plug on 27 Dec 2022 14:30:50 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Possible Break in on Arch Linux Systems: |
No reason to suspect any attacks, updated regularly, functioning normally, compare: [forge@yorktown internal]$ for i in $(ls /etc/pacman.d/gnupg/*.gpg); do sudo md5sum $i; done 203946f85ffe9896f8151f3e84c47bdc /etc/pacman.d/gnupg/pubring.gpg d41d8cd98f00b204e9800998ecf8427e /etc/pacman.d/gnupg/secring.gpg 2f62ae2573041a0aa2faac9b76551f9e /etc/pacman.d/gnupg/trustdb.gpg [forge@yorktown internal]$ ls -lahtr /etc/pacman.d/gnupg/*.gpg -rw------- 1 root root 0 Dec 17 14:25 /etc/pacman.d/gnupg/secring.gpg -rw-r--r-- 1 root root 1.3M Dec 21 17:30 /etc/pacman.d/gnupg/pubring.gpg -rw-r--r-- 1 root root 17K Dec 21 17:30 /etc/pacman.d/gnupg/trustdb.gpg [forge@yorktown internal]$ Multiple releases of archlinux-keyring in the affected time period. https://github.com/archlinux/svntogit-packages/commits/packages/archlinux-keyring/trunk Seems normal. Good to be vigilant, but so far nothing to see here. On Tue, Dec 27, 2022 at 3:10 PM Keith C. Perry via plug <plug@lists.phillylinux.org> wrote: > > I was just about to make a similar comment. I'm very rarely in my Arch partition and invariable I have to do keyring upgrades (and maybe some things I can't remember right now) before even pacman -Syy will work. > > Always good to be skeptical but I think for Arch this is normal fare. > > > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ > Keith C. Perry, MS E.E. > Managing Member, DAO Technologies LLC > (O) +1.215.525.4165 x2033 > (M) +1.215.432.5167 > www.daotechnologies.com > > ________________________________ > From: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> > To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> > Sent: Tuesday, December 27, 2022 3:05:12 PM > Subject: Re: [PLUG] Possible Break in on Arch Linux Systems: > > On Tue, Dec 27, 2022, 14:27 Michael Lazin via plug <plug@lists.phillylinux.org> wrote: >> >> That is the gpg key for your package manager. I don't think that should change. Try installing rkhunter and running "rkhunter --scan" as root. It will tell you if other files may have been modified. >> >> Thanks, >> >> Michael > > > > Let's not make assumptions and jump to potential compromise unless we're familiar with the respective distro's internals. > >> >> >> On Tue, Dec 27, 2022, 1:44 PM LeRoy Cressy via plug <plug@lists.phillylinux.org> wrote: >>> >>> I do a daily backup which checks for any changes in /etc and other >>> directories that should not change unless you have done a backup. On >>> Christmas Day someone or something changed the following files: >>> >>> /etc/pacman.d/gnupg/pubring.gpg >>> /etc/pacman.d/gnupg/pubring.gpg~ >>> /etc/pacman.d/gnupg/pubring.gpg.tmp >>> /etc/pacman.d/gnupg/trustdb.gpg >>> >>> I rebuilt my repositories with pacman -Syy >>> I reinstalled archlinux-keyring >>> >>> I am familiar with the shenanigans of cups changing their /etc files >>> daily, but this is a first for me. >>> >>> I'm posting this as a warning of a possible break-in on Arch Linux >>> systems. >>> > > LeRoy, this is normal and expected. I'm guessing you haven't done a full system update in a while? > > $ systemctl cat archlinux-keyring-wkd-sync.timer > # /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer > [Unit] > Description=Refresh existing PGP keys of archlinux-keyring regularly > > [Timer] > OnCalendar=weekly > Persistent=true > RandomizedDelaySec=1week > > [Install] > WantedBy=timers.target > > It is part of Arch Linux system internals (the archlinux-keyring package itself). > > $ pacman -Ql archlinux-keyring | grep -E '\.timer' > archlinux-keyring /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer > archlinux-keyring /usr/lib/systemd/system/timers.target.wants/archlinux-keyring-wkd-sync.timer > > > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug