[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

Dear Elmar,

Thank you for your help. I really appreciate very much.

I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this.

Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then reinstall the package cron. The new "crontab" file seems to be the same as the previous since the md5 are equal, but debcheckroot still throws an error for it...



Le 06/05/2022 à 16:20, Elmar Stellnberger a écrit :
Dear Sylvain

The next thing I would do is create a timeline. Mount the partition with noatime so that access times are preserved as they are on new file operations and then let find output access, modification and creation time of all files. Look on when these three executables have been modified/created and then search back on what has happened at the earliest time right before the rootkit has been installed. Once I analysed a system of mine like this and found out that some suspicious files had been uploaded in the ~/.skype directory. If I remember back I think I had used vim for it but it should also be possible to use sth. like sort.


Reply to: