.bashrc changed

i updated my system and saw this line
This fight is against the spoiled EDUCATION SYSTEM and EXAMINATION SYSTEM of the country, which has put the future of crores of youth of the country at stake, which will continue until we improve all these things

Well considering crores is an Indian term, and the state of the education system and the examination system and the corruption and cheating that occurs in it, they have a point.

Other than that, I have no idea why you’re getting that message. other than you’ve added something that’s been got or someone has modified something to make a political statement, like that guy who was the maintainer of node-ipc and added peacenotwar malware to it.

this are the updates

If you repost the terminal output as pre-formatted text instead of an images, others who encounter the message will find it with web searches. It is possible the message was added upstream in a way that only displays in certain conditions (geographic location, network, WiFi regions, etc.). If you can’t reproduce the text, just the list of packages and the message text should be enough.

i think i have seen some tweets and maybe part of it was copied and pasted here but i did not do this maybe a bug which paste that sentence
thanks

Can you check your .bashrc for anything strange?

Yes i find this line in my bashrc

Wtf is that?

Did you give your laptop to your friend? Did someone else tinker with it?
Also, please upload your bashrc.

Looks like you’ve installed, or copy / pasted something from somewhere that has added that message to your .bashrc. If it is something you’ve installed, it’s like the node-ipc issue I mentioned above and you can hope that they haven’t also included some sort of malicious malware with it. If it’s copy and pasted, it might be found in your .bash_history which you can open with nano or gnome-text-editor or kwrite depending on your DE and search for the string in the history.

If it is from something you installed, go through your .bash_history from when it appeared and look at the things you were installing in and around the time it started to appear. Then with a process of elimination you can look at the packages, the dependencies and try and find what might have included it.

Posting the statement as text may bring additional reports that would help understand how it got into your .bashrc. I used the tesseract:

This fight is against the spoiled EDUCATION SYSTEM and EXAMINATION SYSTEM of the country, which has put the future of crores of youth of the country at stake, which will continue until we improve all these things

I also tried a web search for this text. As I’m in Canada, all the hits were related to the sorry history of residential schools here until I limited the search to India, where there were many hits realated to India’s education system but the only match is this topic.

We talked already once about “html injection” while pressing a download button with the april-fool from Rick-Astley. This showed that without any special rights the .bashrc could be changed.

• A sad story about Moderation and restricting detailed explanation of such old but still working attitudes of bothering users. Turning facts around without understanding the Solution of the problem, posted in the first answer!
  (@brianallenby refering to the linked topic about malaware)

I know English isn’t your first language and most of the time I can understand what you’re trying to say, but I’ve tried reading this several times and I don’t understand what you’re trying to say at all.

The old thread was solved in the first answer, but somehow still produced a long discussion.

Aaah, ok gotcha.

Perhaps my interpretation of that thread is incorrect, but I understand that it is claiming that it is possible to change the contents of the local ~/.bashrc through a “fake download button” that executes a server-side script, and that is not possible.

I understand that this does not need to be explained, and I am explaining it for people who do not have technical knowledge, but that PHP code would be executed on the server providing it and not on the local computer accessing the website and clicking on the “fake download button”.

Yes, however it changes the local .bashrc, in clear-text it modifies the PS1 variable. Somehow the user has clicked on a link and short afterwards in the same Terminal instance made an update. When using sudo it started a new instance and in the end of the update it displayed the modified PS1 variable.

To change the .bashrc file you not need sudo. Because it is a config file of the longed in user!

Again, user has chosen a wrong title!

Not fedora got hacked, the user simply was not checking the link before clicking on it.
Normally we do that while howering over a link in the browser. Then on the left lower corner the URL gets displayed. If this link brings you to something else as declared on the link, like .zip .rar etc, you can be sure that you run a server side script which can do such changes as described above.

@frankjunior please check your browser history on the time or short before you made the update (see screenshot you posted). I’am sure you will find a hint on which page you infected/changed your .bashrc. Then complain there with the web-admin to remove it.

As long as it is just the PS1 variable which got changed, this incident is not dangerous. It is the Command-line prompt which got changed.

like:

export PS1="This fight is against the spoiled EDUCATION SYSTEM and EXAMINATION SYSTEM of the country, which has put the future of crores of youth of the country at stake, which will continue until we improve all these things "

Based on the answer above I will change the title.
It is ugly now, when I search the message you got displayed, your topic pops up on first place.

I must insist that it is impossible for a PHP script (or any server-side code) to run on your PC (the server-side script is not sent to your browser at all). If this were possible, imagine how easy it would be for any web developer to execute malicious code on your PC.

The StackOverflow link you referenced shows a way to edit the .bashrc file hosted on the server, via PHP.

// Filename: index.php

<?php
// PHP code is not sent to your browser.
// This code is executed on the server running the PHP process.
if ($_GET['run']) {
  # This code will run if ?run=true is set.
  exec("/path/to/name.sh");
}
?>

// This is HTML and therefore is sent to your browser
<!-- This link will add ?run=true to your URL, myfilename.php?run=true -->
<a href="?run=true">Click Me!</a>

If you still want to insist on the theory that, without user interaction, the .bashrc file was modified through a “fake download button”, then I can only think of a exploit (which I don’t think is likely).

Do you use an ad block or not?

I agree with you.

It’s much more likely they copy and pasted some sort of instruction to run in a terminal.
And by much more, I mean infinitely more likely.

The internet is still riddled with download and install instructions that boil down to wget or curl commandlines that pipe output directly into bash.

We can’t seem to break that bad habit. And while individual upstream projects that offer thoses downloads may be trustable… the problem is they help create a culture that trains unsuspecting enthusiastic users to trust that as a pattern to install things from almost any website offering interesting software applications.

Furthermore, perhaps they were victims of something like this: http://thejh.net/misc/website-terminal-copy-paste.

I agree with you. It is dangerous for users to execute things like curl https://<something> | bash (especially because the content of the script may be different, for example if your user agent is the curl’s one).

Regarding what was mentioned about PHP and the server-side script, if anyone has any questions, you can verify it with a small test lab in a podman container.

podman run -it --rm -p 8080:8080 php:8.2-cli bash

# Inside the container
cd /var/www/html/
echo '<?php if (isset($_GET["run"])) exec("echo \# Fedora >> /root/.bashrc"); ?> <a href="?run=true">Click Me!</a>' > index.php
php -S 0.0.0.0:8080

(I apologize for insisting on this, but I just want to make the situation regarding PHP very clear so that we can avoid any future readers getting the wrong idea.)