Debootstrap command in bash history!

Hi Guys,

I recently logged into (ssh) my WDMycloud device. What is odd is that when I ran ‘last’, it created the wtmpx file and therefore all previous  logins were not shown.

No problem I thought - I remembered that I recieved an email notifying me of a recent firmware upgrade and I cannot say for sure which changes has been made.

The other thing is that the root directory was empty and I thought I had knocked up a test perl script in there - but I could not say that with absolute certainty.

The .bash_history file was suprisingly short, but at the top had this command : ‘debootstrap/debootstrap --second-stage’, and also this ‘cat /etc/apt/sources.list’.

With relation to the first command, I found this web page that discussed that debootstrap is a tool which will install a Debian base system into a subdirectory of another, already installed system. It doesn’t require an installation CD, just access to a Debian repository.

The second command could be someone double checking that the access to the repository exists. The contents of sources.list are

WDMyCloud:~# cat /etc/apt/sources.list
deb wheezy main
#deb sid main
#deb experimental main
#deb-src wheezy main

So the wheezy repository is available.

I have double confirmed that my Virgin Hub does not allow ssh port forwarding - in fact it doesnt allow any port forwarding, and in addition to that I do use strong passwords.

If my fear that I am sitting in a chrooted environment is correct, then this exploit is available to anyone that has turned on ssh.

This is a really long shot - but is it possible that this history fragment that contains the debootstrap command is an artifact from the factory build process ? I am not familiar with the Debian flavor of Linux and the MyCloud setup is customised.

My files remain intact and I have disconnected the device from the hub.



The ENTIRE root partition is part of the firmware. So, yes, all those files are part of the packaging remnants when the firmware is packaged into a deb file.


thanks so much for your reply.

You say “all those files”  - what files do you mean - I wasnt particularly concerned about any files, but rather this :

  1. debootstrap command being in the shell history.

  2. removal of the wtmpx last login history.

  3. cat /etc/apt/sources.list also being in my shell history - which definitely was not me.

I could go with the idea that the Western Digital remotely run a “debootstrap” within a bash -c as part

of its firmware upgrade scripts, but running a “cat /etc/apt/sources.list” ?

Are you saying that I should not be concerned that these commands are in my history file - given that I did not run them, and that .wtmpx getting wiped is completely normal ?



If you want to feel better about it, go download the firmware file, unpack it to your PC, and look there – you’ll see the same information / files / histories.

thanks again.