Hi friends,
I’m running raspbian on a raspberry pi. It’s great.
I often access my device over SSH from my phone. I have a long-running gnu screen session. Sometimes my shell becomes unresponsive for some time, which may be normal due to my poor wifi, but one time something weird happened.
My device was unresponsive for longer than usual, so I killed the SSH connection.
When I reconnected, my screen session looked like something like this:
$ <commands>
...
$ gpg -a --export $KEY | sudo apt-key add -
$ ctrl C
$ ctrl C
$ ctrl C
Most critically, the gpg command here is not something that I wrote. I can only guess that:
- I somehow executed something like
!13
, which expanded to something from my history - Somehow a cron process or similar wrote to my tty (?)
- I’ve been hacked
I executed this gpg command intentionally at some point in the past, so I think (1) is most likely, but…
Can anyone just help me relax by confirming that my device is probably fine, and a hacker would do much more interesting things than add gpg keys to apt, right?
My device is exposed to the internet, so hackery is definitely not out of the question.
Thanks in advance!
Why dont you check if the keys in apt are legit?
Here is my apt-key list:
$ apt-key list /etc/apt/trusted.gpg -------------------- pub rsa2048 2012-04-01 [SC] A0DA 38D0 D76E 8B5D 6388 7281 9165 938D 90FD DD2E uid [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com> sub rsa2048 2012-04-01 [E] pub rsa2048 2012-06-17 [SC] CF8A 1AF5 02A2 AA2D 763B AE7E 82B1 2992 7FA3 303E uid [ unknown] Raspberry Pi Archive Signing Key sub rsa2048 2012-06-17 [E] pub rsa4096 2017-02-22 [SCEA] 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88 uid [ unknown] Docker Release (CE deb) <docker@docker.com> sub rsa4096 2017-02-22 [S] pub rsa3072 2018-12-16 [SC] 4918 AABC 486C A052 358D 778D 4902 3CD0 1DE2 1A7B uid [ unknown] Jellyfin Team <team@jellyfin.org> sub rsa3072 2018-12-16 [E] pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20] E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98 uid [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org> sub rsa4096 2017-05-22 [S] [expires: 2025-05-20] /etc/apt/trusted.gpg.d/microsoft.gpg ------------------------------------ pub rsa2048 2015-10-28 [SC] BC52 8686 B50D 79E3 39D3 721C EB3E 94AD BE12 29CF uid [ unknown] Microsoft (Release signing) <gpgsecurity@microsoft.com>
I don’t really know how to verify this stuff