[plug] Q about my new computer
Alastair Irvine
alastair at plug.org.au
Sat Jun 17 02:39:45 AWST 2017
On Sat, 22 April, 2017 at 07:18:07PM +0800, Jude Cullity wrote:
[snip]
> The guy I bought my computer off, offered me a 3 month free phone help with
> my new Linux system. He said that if I had trouble, he could log onto my
> machine remotely and see what I was doing so he could help trouble shoot.
> Does this constitute a backdoor? How can I disable it?
Hi, Jude. I would say this constitutes a backdoor if no intervention by
you is required to enable access, as per what Rusty Ramser said.
I'm going to assume that the hardware vendor didn't install any rootkits
etc. or other means designed to obfuscate the backdoor (e.g. installing
a custom procps package or /bin/ps binary that filters output).
I'm also going to assume that they are somewhat trustworthy, i.e. if you
offer to pay them to remove the backdoor (and get written e-mails
agreeing to the price) then they have an incentive to do it. Or they
might do it for free if you ask.
Running "sudo ss -tulp" will show you if you have any open (i.e.
listening) TCP or UDP network ports, which would required for them to
"dial in" to your system. But first, check your ADSL router to see if
there are any port forwards because without these no-one can reach your
computer.
You have a couple of options for finding the backdoor, but they are far
from perfect. If you are running Debian or Ubuntu, you could look in
/var/log/dpkg.log to see if there are any packages that were installed
after installation. (Note: this file will have probably been rotated
into oblivion by now, so this method is pretty useless unless you have
backups.)
Or you could see if there is anything present in /opt or /usr/local that
looks likely. (Both of these directories should be more or less empty
unless you have put something there; packages only install to /usr/bin
etc.) However, files could have been installed anywhere and kick-
started by any number of means that are too numerous to describe here.
In my long experience with Debian, the only reliable way to see what
extra packages have been installed is to take a package list* from a
similarly-configured "vanilla" system and compare it with a package list
from your computer. Note that what you have installed can vary widely,
because even just installing a desktop environment will cause thousands
of optional packages to be installed. Also, how many DVDs you used when
you did the install can affect the number of packages, plus anything you
have installed yourself after the initial system setup.
* dpkg --get-selections > installed.dselect
Don't rely on a fresh cloud instance (e.g. AWS EC2 or Google Cloud
Platform) to obtain a "master list" of packages, as each cloud provider
will have come up with a "machine image" with their own subset of the
available packages installed. And there won't be a desktop environment.
Disclaimer: You can't fully trust a system unless your or a trustworthy
person installed it from scratch from verified install media. If you
suspect a system has been interfered with, there is no guaranteed way of
finding out what was done. As another list member said, a re-install is
the only sure way to get to a known-good system.
PS -- If the hardware vendor are running a business they have a legal
obligation to supply you with a warranty; if not, you could put
in a complaint with the ACCC.
More information about the plug
mailing list