Apologies for conflating the Wireshark related "bug / broken package / attack" comment with the bash issue.
Good luck resolving the issues. -----Original Message----- From: Miroslav Rovis [mailto:miro.ro...@croatiafidelis.hr] Sent: Sunday, May 07, 2017 09:42 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS instance On 170505-22:40-0400, Bobby Kent wrote: > Looks like there are two things that concern you. Firstly, how bash > tab expansion appears to work (the ls, etc. commands executed when you > hit the tab key) on your system. Secondly, the "bash: unexpected EOF > while looking for matching `)'bash: syntax error: unexpected end of > file" messages generated when a particular tab expansion fails. > > Is that second issue generated by hitting tab at the end of the command: > > ls -1d root_170430_g0n*.d > > ? If so, perhaps there's something unusual with the items that match > the pattern "root_170430_g0n*.d*" that results in the error ... Well then there should have been somthing unusual with a plain rsync command and simple direcories in the link that I gave in other email, as I said in the mail to which the above is your reply, and which you quoted further below... > Regarding your diagnosis: > > > That's a serious bug or a serious malfunction in my Gentoo, the > > latter being most likely... > > > > And if it is the latter, it can only be one or the other way. > > One: the cause is in some Gentoo packge. > > Two: it is an attack by some unknown means. > > Before declaring But the whole paragraph originally, in the top of the thread (construing citation): > > Wireshark! Look at that! That's not a shadow. That's a serious bug > > or a serious malfunction in my Gentoo, the latter being most likely... And also in the abridged email it is under: > > Second issue > > ============ So it refers to Wireshark only :) So pls. note that the above is not declaring it such about Bash... But I didn't modified the Bash completion. And esp. I would never modify it to be sed'ing and awk'ing on my /etc/ssh/ssh_config. ;-) ... So the above *could* apply to Bash, if I had (which I didn't) written it about Bash, but I would only word it to the level of suspicion. And suspicion it remains... > bug / broken package / attack, it might be an idea to see whether the > issue is reproducible, and under what circumstances. > > Note, tab expansion can be modified (see, for example, > http://www.linuxjournal.com/content/more-using-bash-complete-command). Which is a great link! Thanks! But again, while it could be some monkeys from space (of that kind of monkeys that write Bibles and so invent God[2], but these might be extraterrestrial monkeys, and maybe invisible, that can reach with their hands into computers without anybody realizing...). Oh, sorry for my irony. But this must have been something/someone with a purpose, that the purpose had been a prank/denial/subversion/<other>... There is no event that can materialize out of nothing and without a cause, else physics and logic go to dusbin. And the event was pretty complex in this case. See below for the links to the script in action that I sent in the other email. And nobody expected that script to come to the fore. Thanks to Mr Linux[3], grsecurity in not widespread, and not so well known, and not even the shadows are familiar with all of its features. That script (in its action, I don't know where it resided in my machine[4]) only came to the fore because of the exec_logging feature of grsecurity-hardened kernel. Only because I had exec_logging turned on in my grsecurity-hardened kernel, I was able to show you the undeniable fact of what was executed at my hitting the Tab at that particular five or so seconds period of time in my real life. I need to remind the readers here that Bobby maybe refers here to what I gave in the other email, as I said I would (but the top posting that he uses, along with my peculiar slow and clumsy style, makes it a bit of a mess, sorry!). For my reference, see my quoted email further below, which I otherwise cut shorter. And from that other email I'm construing the links that I gave as if it was a reply, except for the links, I want them in the clear: > > Strange script planted with Bash https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/ > > should make for some thinking... > > It's in the logs > > ( https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/messages_1705 04_2155_g0n > > [link is at bottom of page, under "messages_170504_2155_g0n"] ). It has complicated further. On top of lots of time spent in analysis of my systems, I have had much difficulty connecting to the internet since I sent and posted on grsecurity.net and sent my messages to gentoo-user some two days ago... E.g. this morning, the connection was abruptly cut after only some five minutes. I was only able to receive new email and check a few links in regard to which I hope replies will have shown up soon from now, but wasn't even able to see the grsecurity.net topic about this issue that I opened two days ago... and I don't even know if I received any replies there: ( Tab (no exec) triggers script on Bash on grsec admin https://forums.grsecurity.net/viewtopic.php?f=3&t=4700 ) ... And I don't know if I will be able to... First dhcpcd would crash on any attempt to run a bridge which I have run without any issues for months now, witness all the pages and screencasts and PCAPs at https://www.croatiafidelis.hr/foss/cap/ ( select by the timestamp, the later the better; I even got a really nice note of appreciation from Devuan devs when my analysis helped them to fix a trivial but urgent network issue on 2017-04-23 which timestamp I shorten to 170423 and so the link is: BAD sig on Devuan ISO https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/ )... And since this morning even plain one only ether device connection failed without any segfaults to anything or any " denied " errors... (the bridge would always get segfaults for dhcpcd). Back to the script seen in its action only. I spent hours trying to figure out what the lines of the script that does that should look like, but more hours I would need to be able to reconstruct any. I saw those entries in awk and I know sed that well, but it's more skills needed to reconstruct that script... and to hopefully locate it in the system partition dump. Thanks if anybody is able to better analyze those (and maybe help locate it). So that it be quicker at hand, I attach a gzip'ed archive of https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/messages_1705 04_2155_g0n messages_170504_2155_g0n.gz to this email as well (it's just over 1K). But I strongly believed it was a potential risk to keep running that system, and what I did is, while completely offline, I thoroughly checked the frozen clone and also the Air-Gapped (which only has the Wireshark inconsistency, and never had this Tab-triggers-Bash-script in (grsecurity RBAC) role admin). And then I updated my Air-Gapped and cloned my for-online system from it. In this system, [stop...] Haha! actually *only* in the software of this system, there are no traces that would indicate any Tab-triggers-a-script behavior, but I certainly don't know if anything was planted in my hardware... It's not Open Hardware,[5] so even if I knew how to check firware and stuff, I couldn't check much of it, let alone all of it... > -----Original Message----- > From: Miroslav Rovis [mailto:miro.ro...@croatiafidelis.hr] > Sent: Friday, May 05, 2017 01:02 > To: gentoo-user@lists.gentoo.org > Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS > instance > > Hi Bobby! > > Pls. see also: > > Tab (no exec) triggers script on Bash on grsec admin > https://forums.grsecurity.net/viewtopic.php?f=3&t=4700 > > as well as the other email that I sent some 7 or so hours ago. > > NOTE: if I'm away, it's because I'm a little worried... I'm afraid my > system may be vulnerable because of these issues. Patience pls. > > (no more but only my sig in bottom) > > On 170504-21:15-0400, Bobby Kent wrote: > > Hi Miroslav, > > > > Attempting to reproduce third issue: > > > > # mkdir wibble1_1 > > # mkdir wibble2_1 > > # mkdir wibble3_1 > > # mkdir wibble4_1 > > # mkdir wibble5_1 > > # for d in wibble*_1 ; do mkdir $d/wobble ; done # ls -1d wibble*_1 > > wibble1_1 > > wibble2_1 > > wibble3_1 > > wibble4_1 > > wibble5_1 > > > > Then hit tab after positioning cursor after the / below: > > # for i in $(ls -1d wibble*_1/) ; do echo $i ; done > > > > And the results are an attempt to autocomplete: > > wibble1_1// wibble2_1// wibble3_1// wibble4_1// wibble5_1// > > > > Perhaps the test oversimplified the issue, though maybe you could > > provide the simplest way to reproduce what you see. > > > > Thanks. I do get this normal behavior that you explain above in my Air-Gapped. And generally in my cloned system. The erratic behavior that I caught a revealing glimse of was only ever happening in my clone that goes online. > > -----Original Message----- > > From: Miroslav Rovis [mailto:miro.ro...@croatiafidelis.hr] > > Sent: Tuesday, May 02, 2017 10:13 > > To: gentoo-user@lists.gentoo.org > > Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS > > instance ... > > > > Third issue > > ========== ... > > > [[ > > > NOTE (before delayed sending): In fact, it is only this clone that > > > exibits the above Bash malfunctioning. I just checked the same for > > > loop command (some six paragraphs above) in my Air-Gapped master > > > [1] (never any internet it sees, > > The [1] is important for understanding, especially this Bash issue > > in my Gentoo instance. > > Because in my Air-Gapped Gentoo instance that issue does not show at all. Pls. also note the line just above. It is a strong indication, by science of probability. Any real serious issues that I have had in years, most often showed in the clone, but never in my Air-Gapped. Only the Wireshark issue that I have makes for a singular exception... And that is why I first thought, and wrote so, that I needed to rebuild my system... I still do, but and Air-Gap rebuild is a longer time exercize... And finally, my suspicion is still not a declaration of anything. E.g. it was nice to find out what the reason was for the eix issue (the "Fourth issue") from Marting Vaeth's reply, and I am sending in parallel with this one another email to confirm on it, as that was a normal bug, and also as it has been fixed in the meantime. Who knows, maybe there is a rational explanation for that completion triggering and sed'ing on /etc/ssh/ssh_config ... without monkeys from space and without attacks by shadows or very badly broken packages... Do show me if this is something in-the-ordinary, anybody, if you can! ... > > > --- > > > [1] My methods are still these: > > > Air-Gapped Gentoo Install, Tentative > > > https://forums.gentoo.org/viewtopic-t-987268.html > > > > > > and > > > > > > Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion > > > https://forums.gentoo.org/viewtopic-t-999436.html#7613044 > > > --- [2] There was an experiment by the evolutionists who gave computers to monkeys, convinced that they would eventually, after be it a huge number of tries, start typing some sensible input into those and end up writing some, that those be trivial, messages of some kind, or at least some text that makes some sense whatsoever... Namely, they believe that humans came out of monkeys, during long periods of history... Alas, didn't happen... Only excrements on those keyboards and monitors, and ruined equipment... There wasn't any kind of text that makes any kind of sense whatsoever. Sorry but I lost the source for this... [3] Developer Raps Linux security http://www.crmbuyer.com/story/39565.html [4] I will keep the frozen system for weeks from now. dd dumped as by the ...Bkp/Cloning Mthd... link given some 12 lines above. In case there would be something to find in there... [5] Use old amd64 gentoo image on new amd64 hardware, possible? https://forums.gentoo.org/viewtopic-t-940916.html (the newer of the two systems, the Extreme4 MBO) Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
