Skip to main content
Topic: Strange Behaviour: /acpi/handler.sh High Quantity Audit Log Activity (Read 328 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Strange Behaviour: /acpi/handler.sh High Quantity Audit Log Activity

Strange behaviour which doesn't make sense to me.

In the example below, there is no activity in the log for the time I was getting coffee.
From 15:17, I went to order a new coffee, waiting in line, then waiting to pick up my coffee, returning to my computer around 15:30, where the log begins recording /acpi/handler.sh activity again.

Does this mean the /acpi/handler.sh activity is occurring based on the use of the keyboard or usb mouse?
Why would /bin/sh trigger on keyboard or mouse activity? Keylogger?
This acpi/handler.sh did not occur on the SystemD distro.
/acpi/handler.sh activity begins even on a fresh install. Eh ~\_o[O_/~
Can /acpi/handler.sh be used to execute arbitrary commands?
Is this indicative of 629APT group infiltrating the heart of Linux?

Code: [Select]
----
type=PROCTITLE msg=audit(10/06/25 15:17:57.592:120442) : proctitle=/bin/sh -c /etc/acpi/handler.sh button/down DOWN 00000080 00000000 K 
type=PATH msg=audit(10/06/25 15:17:57.592:120442) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=11560670 dev=103:02 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/06/25 15:17:57.592:120442) : item=1 name=/bin/bash inode=11535106 dev=103:02 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/06/25 15:17:57.592:120442) : item=0 name=/etc/acpi/handler.sh inode=15467157 dev=103:02 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=EXECVE msg=audit(10/06/25 15:17:57.592:120442) : argc=7 a0=/bin/bash a1=/etc/acpi/handler.sh a2=button/down a3=DOWN a4=00000080 a5=00000000 a6=K 
type=SYSCALL msg=audit(10/06/25 15:17:57.592:120442) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55b80163ec90 a1=0x55b80163cd90 a2=0x55b80163ecd0 a3=0x8 items=3 ppid=1895 pid=21596 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=handler.sh exe=/usr/bin/bash key=susp_shell 
----
type=PROCTITLE msg=audit(10/06/25 15:31:04.991:120768) : proctitle=/bin/sh -c /etc/acpi/handler.sh button/up UP 00000080 00000000 K 
type=PATH msg=audit(10/06/25 15:31:04.991:120768) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=11560670 dev=103:02 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/06/25 15:31:04.991:120768) : item=0 name=/bin/sh inode=11535106 dev=103:02 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=EXECVE msg=audit(10/06/25 15:31:04.991:120768) : argc=3 a0=/bin/sh a1=-c a2=/etc/acpi/handler.sh button/up UP 00000080 00000000 K 
type=SYSCALL msg=audit(10/06/25 15:31:04.991:120768) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55db9ce21810 a1=0x7ffdfc8fb2a0 a2=0x7ffdfc8fb9b0 a3=0x55db9ce21810 items=2 ppid=1895 pid=21646 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash key=susp_shell 
----