Re: What is the best free HIDS for Debian

I think if you have a root kit it is very unlikely to get rid of it without backing up and reimaging but you may be able to achieve it if you try first rkhunter and second apparmor which is similar to selinux which was developed by the nsa and made accessible as a Red Hat package. Both solutions have the ability to limit what root can do and is your only real option for saving a rooted system. It is important that if you try this that you dump your memory rkunter picks up a memory anomaly. Fileless malware is popular among sophisticated threat actors and rkhunter is equipped to find malware that resides in memory. Apparmor is included in Debian.

Thanks,

Michael Lazin

On Sun, May 8, 2022 at 11:18 AM Sylvain <ssecherre@free.fr> wrote:

Dear Elmar,

Thank you for your help. I really appreciate very much.

I thought a lot about your answer and I feel a bit tricky... I
understand what you're writing but I don't know how to do this.

Do you think I can simply get rid of these rootkit? I've tried to move
the file "crontab" in a safe place and then reinstall the package cron.
The new "crontab" file seems to be the same as the previous since the
md5 are equal, but debcheckroot still throws an error for it...

Regards

Sylvain

Le 06/05/2022 à 16:20, Elmar Stellnberger a écrit :
> Dear Sylvain
>
> The next thing I would do is create a timeline. Mount the partition with
> noatime so that access times are preserved as they are on new file
> operations and then let find output access, modification and creation
> time of all files. Look on when these three executables have been
> modified/created and then search back on what has happened at the
> earliest time right before the rootkit has been installed. Once I
> analysed a system of mine like this and found out that some suspicious
> files had been uploaded in the ~/.skype directory. If I remember back I
> think I had used vim for it but it should also be possible to use sth.
> like sort.
>
> Regards
> E.