Debootstrap command in bash history!

My Cloud OS 3 Personal & Network Attached Storage My Cloud
1

Hi Guys,

I recently logged into (ssh) my WDMycloud device. What is odd is that when I ran ‘last’, it created the wtmpx file and therefore all previous  logins were not shown.

No problem I thought - I remembered that I recieved an email notifying me of a recent firmware upgrade and I cannot say for sure which changes has been made.

The other thing is that the root directory was empty and I thought I had knocked up a test perl script in there - but I could not say that with absolute certainty.

The .bash_history file was suprisingly short, but at the top had this command : ‘debootstrap/debootstrap --second-stage’, and also this ‘cat /etc/apt/sources.list’.

With relation to the first command, I found this web page https://wiki.debian.org/Debootstrap that discussed that debootstrap is a tool which will install a Debian base system into a subdirectory of another, already installed system. It doesn’t require an installation CD, just access to a Debian repository.

The second command could be someone double checking that the access to the repository exists. The contents of sources.list are

WDMyCloud:~# cat /etc/apt/sources.list
deb http://ftp.us.debian.org/debian/ wheezy main
#deb http://ftp.us.debian.org/debian/ sid main
#deb http://ftp.us.debian.org/debian/ experimental main
#deb-src http://ftp.us.debian.org/debian/ wheezy main

So the wheezy repository is available.

I have double confirmed that my Virgin Hub does not allow ssh port forwarding - in fact it doesnt allow any port forwarding, and in addition to that I do use strong passwords.

If my fear that I am sitting in a chrooted environment is correct, then this exploit is available to anyone that has turned on ssh.

This is a really long shot - but is it possible that this history fragment that contains the debootstrap command is an artifact from the factory build process ? I am not familiar with the Debian flavor of Linux and the MyCloud setup is customised.

My files remain intact and I have disconnected the device from the hub.

Thanks,

kbdguy.

2

The ENTIRE root partition is part of the firmware. So, yes, all those files are part of the packaging remnants when the firmware is packaged into a deb file.

3

Hi,

thanks so much for your reply.

You say “all those files”  - what files do you mean - I wasnt particularly concerned about any files, but rather this :

  1. debootstrap command being in the shell history.

  2. removal of the wtmpx last login history.

  3. cat /etc/apt/sources.list also being in my shell history - which definitely was not me.

I could go with the idea that the Western Digital remotely run a “debootstrap” within a bash -c as part

of its firmware upgrade scripts, but running a “cat /etc/apt/sources.list” ?

Are you saying that I should not be concerned that these commands are in my history file - given that I did not run them, and that .wtmpx getting wiped is completely normal ?

thanks.

4

Yes.

If you want to feel better about it, go download the firmware file, unpack it to your PC, and look there – you’ll see the same information / files / histories.

5

thanks again.