Malware? Don’t jump to conclusions!

Tonight I had a bit of a scare thanks to jumping to conclusions from the first Google result.  I thought it might be a good idea to drop a reminder here to take a step back and remember that .bash_history is a thing.

While I was inspecting /etc/passwd on a new Ubuntu server to confirm a home directory, I noticed a new line at the bottom I had never seen.

uml-net:x:111:120::/nonexistent:/usr/sbin/nologin

What the heck is that?  Searching Google brought me to this:
https://askubuntu.com/questions/896040/why-do-syslog-and-uml-net-have-home-in-etc-passwd/896049 specifically https://askubuntu.com/a/1151118

Crap.  This was a relatively new install, did it already get owned?  I didn’t see any suspicious processes running or notice any slowdowns.  Do I need to re-image this machine?  How did it happen?  WHAT happened?

Running apt search uml confirmed it was actually installed.

Wait, did I install it myself?

A search in .bash_history revealed that yes, I installed it as a prerequisite while following the guide at https://github.com/kholia/OSX-KVM a few nights back.  False alarm.

Leave a Reply