Hi friends,

I’m running raspbian on a raspberry pi. It’s great.

I often access my device over SSH from my phone. I have a long-running gnu screen session. Sometimes my shell becomes unresponsive for some time, which may be normal due to my poor wifi, but one time something weird happened.

My device was unresponsive for longer than usual, so I killed the SSH connection.

When I reconnected, my screen session looked like something like this:

$ <commands>
...
$ gpg -a --export $KEY | sudo apt-key add -
$ ctrl C
$ ctrl C
$ ctrl C

Most critically, the gpg command here is not something that I wrote. I can only guess that:

  1. I somehow executed something like !13, which expanded to something from my history
  2. Somehow a cron process or similar wrote to my tty (?)
  3. I’ve been hacked

I executed this gpg command intentionally at some point in the past, so I think (1) is most likely, but…

Can anyone just help me relax by confirming that my device is probably fine, and a hacker would do much more interesting things than add gpg keys to apt, right?

My device is exposed to the internet, so hackery is definitely not out of the question.

Thanks in advance!

  • nutomicA
    link
    fedilink
    arrow-up
    2
    ·
    4 years ago

    Why dont you check if the keys in apt are legit?

    • Cokemonkey11OP
      link
      fedilink
      arrow-up
      1
      ·
      4 years ago

      Here is my apt-key list:

      $ apt-key  list
      /etc/apt/trusted.gpg
      --------------------
      pub   rsa2048 2012-04-01 [SC]
            A0DA 38D0 D76E 8B5D 6388  7281 9165 938D 90FD DD2E
      uid           [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>
      sub   rsa2048 2012-04-01 [E]
      
      pub   rsa2048 2012-06-17 [SC]
            CF8A 1AF5 02A2 AA2D 763B  AE7E 82B1 2992 7FA3 303E
      uid           [ unknown] Raspberry Pi Archive Signing Key
      sub   rsa2048 2012-06-17 [E]
      
      pub   rsa4096 2017-02-22 [SCEA]
            9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
      uid           [ unknown] Docker Release (CE deb) <docker@docker.com>
      sub   rsa4096 2017-02-22 [S]
      
      pub   rsa3072 2018-12-16 [SC]
            4918 AABC 486C A052 358D  778D 4902 3CD0 1DE2 1A7B
      uid           [ unknown] Jellyfin Team <team@jellyfin.org>
      sub   rsa3072 2018-12-16 [E]
      
      pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
            E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
      uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
      sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
      
      /etc/apt/trusted.gpg.d/microsoft.gpg
      ------------------------------------
      pub   rsa2048 2015-10-28 [SC]
            BC52 8686 B50D 79E3 39D3  721C EB3E 94AD BE12 29CF
      uid           [ unknown] Microsoft (Release signing) <gpgsecurity@microsoft.com>
      

      I don’t really know how to verify this stuff