I have just seen that StrongSwan is installed and the service is enabled on my Raspberry Pi. But I have never used Strongswan before. Is there any way to research when it was installed? I just use the Raspi for OMV 5 with Portainer and various Docker containers. Should I be concerned that the package is installed without my active action?

EDIT:

I did some further investigation and found this commands in my .bash_history. This was approximately one year ago. Maybe I wanted to test something that I cannot remember. But interesting that despite those apt purge commands strongswan was still installed and running.

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins
sudo apt purge strongswan
sudo apt purge strongswan-pki
sudo apt purge libstrongswan-extra-plugins

  • CameronDev
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    1 year ago

    Take your device offline, asap.

    ls -l on the executables (you’ll have to find them yourself) will give the last modified time.

    If it’s logging to the journal, you can grep through that and find the first time it logged.

    If it truely is malicious, none of those will be trustworthy, as they can be changed by a malicious actor. If you can’t work out where it’s from, wipe and start over is probably the best bet.

    • Mia@feddit.deOP
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      The strongswan installation itself doesn’t seem to be malicous.

      It looks like these packages were installed via the apt repositories: strongswan-starter
      strongswan-libcharon
      strongswan-charon
      libstrongswan