Highly Suspected Compromised Solus ISO / Rootkits Post Fresh Install
- Edited
Symptoms:
Opening Files with other File Contents and not changing to the current file being opened.
I have no idea what you mean by this
Dropping of browsers and downloads at random.
Surely poor wireless card drivers, DNS, or a bad connection can also cause this?
Core System Files modified containing ld.so
An example file would go a long way toward addressing this concern. As well as a description of what you mean by modified.
RKHunter revealing a warning showing 3 possible rootkits
RKHunter is notorious for reporting false-positives. That's part of why they are marked as Warnings and not Found.
DataDrake Your passive aggressive behavior is quite comical. What is your technical competency that's going to be necessary to help me resolve this issue.
I am literally the Technical Lead for Solus. So far you have demonstrated to me that you overestimate your own knowledge of Linux and computer security, you have absolutely no clue how to properly report security issues, and that you have no desire to show me or JoshStrobl the respect that is deserved for our years of service to Solus and in our current roles as leaders of the project. Put simply, you came into our house, uninvited, with wild accusations, and couldn't be bothered to provide thorough and complete evidence even when prompted.
Now you are insulting us over our rightful hostility towards this inflammatory post that was irresponsibly presented to us through an unsecure channel.
You are also insulting me without bothering to learn one iota of information about my background. It just so happens that I have done one variety of IT or another for over 15 years and have been using Linux for longer. I also happen to have both a BS and MS in Computer Engineering, with a Minor is Computer Science during my undergraduate studies. I have been with the Solus project since 2016. Our founder Ikey was convinced enough with my technical skills that I was asked to join the Core Team, our highest level of leadership, less than 6 months after my first contribution to the project.
Meanwhile, a quick waltz around the internet shows that you do some level of IT support, of which I am uncertain because a website for your company doesn't even show up in a google search. You also appear to lack a LinkedIn, so I could not find any information about your technical background. What I could find, was a series of references to your poor attitude and behavior in the comment sections of various YouTubers and a series of videos from yourself which in my own opinion demonstrate poor respect for people who don't agree with your ideologies or assessments.
So forgive me if I have a hard time being pleasant in the face of all of this.
[deleted]
I have barely said a harsh word to you. I bit my tongue at the shocking lack of customer service skills shown here. I have been the consummate professional throughout. Respect is earned and I've shown nothing but it to reasonable responses of course and even where I could have easily spoken in anger and off the cuff. I reported the issue directly from the forum after establishing my account. I have followed the guidelines.
I wasn't seeking a history of your accomplishments and credentials. I was only seeking a resolution to my problem and findings. I've been awfully nice and professional throughout discourse today and bit my tongue several times. Your team and yourself have been quite rude towards me from the onset of my posting.
If I came off a little direct well that's just me. I am direct but I try not to be hateful or disrespectful towards anyone. Which video did you come across that made you think I was spewing hate and vitriol because I assure you I've never done so in any of my videos.
Actually YouTube green lighted me based on my google record to have a lot of the benefits for a brand new channel that I'm not aware that anyone has access to immediately. This must be do to my track record on YouTube. I've made an effort to watch how I respond and if and when I do come off harshly I'm always sure to edit my comments and make sure I'm presenting myself in a professional tone.
I've made great efforts to protect my reputation online without hiring anyone. My LinkedIn profile being non existent results from my opting out of the social network and may or may not return but likely not. I have my reasons.
Again I'm sorry you feel this way. I am sorry for any negative way that I made you feel. I truly am but I will say I have a completely different perception of what has occurred here today. I am sure that I must not be alone in my feelings.
[deleted]
With that said dropping all the drama and personal feelings let's get to resolving the issue at hand; shall we. You mentioned that my support request was submitted from an unsecured channel.
What channel would that be. I am sitting here speaking to you from an adequately secured wireless network on my laptop in my home office.
I only use secure channels. I would like to address that once I am more aware of what is showing on your end giving you the impression this is an unsecured channel?
[deleted]
- Edited
DataDrake Notice I didn't order anything as I realize I don't have that authority. I stood up for myself and asked him to contribute to fix the issue or leave the discussion so that we can work on it.
It's fine though and I'll watch my tongue. I don't have any real issues with that so long as you guys try and be consistent.
Everyone has been rude to me so far accept a few. If we can continue to resolve the issue I stated below that would be great. Thanks for the warning and not acting prematurely.
If you stick with me through this I think you will be pleasantly surprised. Remember that I'm on team Solus OS. I don't want to regret that allegiance. This is an excellent project. I'll have my website up and running with a landing page soon.
[deleted]
DataDrake Now there we go. That's what I'm talking about. Why we could not have just responded like this from the onset I will never understand.
With that said then here is what I will do and I'll get back with you. I will change out the wireless router with a backup one that I have supplied by my ISP. Then I will reconnect with you regarding this.
Furthermore with the opening of the files and the file contents changing or reverting to a previously opened document I mean that they are not showing the correct contents and LibreOffice opens them blank. Focus writer shows the wrong content for the files that I opened. It's so weird but I hope that makes sense.
I can get you a log file of Rkhunter if you like but it's for Peppermint OS. I wasn't able to get Sophos AV working in Solus OS due to the kernel modules not being compatible or something similar dealing with the lack of kernel module support. I wanted to scan with it but I didn't ever get to; sadly.
Yes I am finding that to definitely be the case with RKHunter myself. This all very well may just be due to faulty WiFi oddly enough though it's working now the best it has in several months since just simply updating the wireless routers firmware. It's a TPLink Archer C59 AC 1200 Wireless Router.
[deleted] https://dev.getsol.us/maniphest/task/edit/form/3/ is the link on the Solus dev tracker to file security issues. These issues are not viewable by the public, unlike here on the forum where anyone can see it and potentially exploit a posted security concern.
In general, it is really bad practice to disclose security threats or vulnerabilities in the public space; most projects have a secure way of letting the project developers/maintainers know while still keeping it out of the public eye, reducing the chance for someone else to exploit the issue.
[deleted] I only use secure channels. I would like to address that once I am more aware of what is showing on your end giving you the impression this is an unsecured channel?
https://dev.getsol.us/maniphest/task/edit/form/3/ - A dedicated security reporting feature on our development tracker
I'm just curious why you're yet to provide proof of this alleged compromise. If you are so serious about security I would appreciate it if you can provide it ASAP. Our team has checked the ISOs already and found no issue. If you are truly serious about this I don't recommend posting further until you provide proof. Every comment you make without proof only solidifies the Fake News tag.
EbonJaeger Damn, I was too slow at typing. 
[deleted]
Justin I don't have another machine available at the moment and I really want to test it as natively as possible. I had mentioned before I thought that I formatted the HDD with a write all 0s command. I'm not about to blow this perfectly good install away to prove this point.
I want it to be the same as last time. If I can find the parts in my reserve to put one together tonight I will get back with you. Thanks for the link. I'll be sure to look into that. What buffaloes me as how on earth I am still being looked at like I'm in the wrong for a legitament post. I will post no more after this point until I have proof.
If this is honestly how you treat people raising a security issue it's not a good look. You guys are being very defensive. Allow me some time and I will see what I can do to reproduce the issue. I hope that I don't have the same issue. I truly hope it works fine.
[deleted] I am not sure how you've missed the point that has been explained several times, you have posted this in PUBLIC view, this is not how security concerns should be raised. If you posted this accusation anywhere else I'm sure you'd receive a very similar response.
Security reporting features are set up for a reason, to keep security issues private until a mitigation or patch can be implemented. Listing security issues publicly only servces one purpose, to allow potential attackers a guide on how to compromise systems.
- Edited
I'm finding this entire thread to be incredibly disappointing. If you actually took security seriously, you would have substantiated your claims from the start and taken a moment to also determine the best way to communicate your concerns with us.
Both Justin and EbonJaeger have provided our dedicated security form and it is absolutely trivial to look up the best way to get in touch with us privately, we have a dedicated section on our Help Center about it. Instead of a moment of research, you opted to post claims of rootkits in our ISOs, in the public, and providing no actual evidence alongside it. And when pressed for such evidence, it turns out it is solely a log for a tool which is know to give false-positives and is only issuing warnings, not found rootkits (because there aren't rootkits in our ISOs).
Had you also taken the time to perform further research, as someone presumably caring to provide a comprehensive security report to us, you would have also independently verified the integrity and signed status of our ISOs. You did neither. Furthermore, you did no research into how eopkg actually provides hashes for packages (not ISOs, which you claimed as the primary issue here), otherwise you would have realized that while there are always improvements to be made to eopkg for security, our current use of hashing within the individual packages and global index is sufficient enough to ensure the overall integrity of the packages being delivered to your system. You're also casually intermixing software and hardware issues in some obscure attempt to validate your claims, which most (if not all of them) can likely easily be explained or reviewed by the appropriate upstream developers, including issues which you are encountering on completely different operating systems.
While I'm sure @DataDrake would be happy to look over whatever information you do eventually decide to provide, I do also want to respect the time and resources of the entire community. I'm incredibly disappointed in your behavior and how you have treated other members of this community, all of which are heavily invested in providing you a good end user experience, whether they are engaging with you on flarum, performing translations, filing bug reports, updating packages, etc.
Building on this, Bryan provided you the expectation that you abide by our Community Guidelines and not harass other members which are only attempting to listen to your claims and work with you to investigate them. Instead, you have continued such destructive behavior and language. This is behavior that is entirely not acceptable and you were provided a sufficient warning to correct it. Given your refusal to do so, I will be locking this post. Should your behavior continue in this manner or you opt to take the opportunity, with an account on our forums which is not suspended at this moment in time, to create subsequent posts about this matter, I will suspend your account as part of our constant upholding of our Community Guidelines.
You are encouraged to reach out to us through the appropriate channels (our Security Issues form template on our Development Tracker being the best way to do so) should you not find @DataDrake's responses and my investigation into the integrity of the ISOs to be sufficient.
Have a nice day.
Necroing this locked thread to say that this user is now banned. Instead of following the proper, suggested procedure, they continued to spread inaccurate information (which they know to be inaccurate) across the Linux community.
It's frankly disgusting behavior and really speaks to the lack of professionalism by this individual. If you want a link to an example, click here and you are welcome to see both the chat inside the video for context, or the VOD chat on the right-hand side.