Re: What is the best free HIDS for Debian

To: debian-security <debian-security@lists.debian.org>
Subject: Re: What is the best free HIDS for Debian
From: Elmar Stellnberger <estellnb@elstel.org>
Date: Sun, 8 May 2022 17:11:24 +0200
Message-id: <[🔎] 460d5767-e758-c548-6d2a-caa005dd1ee9@elstel.org>
In-reply-to: <8135fc53-727b-4cf5-1811-8bbd521f395b@free.fr>
References: <[🔎] 62701ec7$0$18715$426a34cc@news.free.fr> <[🔎] 627260e6$0$24819$426a74cc@news.free.fr> <[🔎] 7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <[🔎] 42898050-0dea-3cfb-3462-0a58452182e5@elstel.org> <8135fc53-727b-4cf5-1811-8bbd521f395b@free.fr>

On 08.05.22 16:51, Sylvain Sécherre wrote:

I thought a lot about your answer and I feel a bit tricky... Iunderstand what you're writing but I don't know how to do this.
Do you think I can simply get rid of these rootkit? I've tried to movethe file "crontab" in a safe place and then reinstall the package cron.The new "crontab" file seems to be the same as the previous since themd5 are equal, but debcheckroot still throws an error for it...

Dear Sylvain

No, I don´t think you can get rid of the rootkit by reinstalling apackage. Usually rootkits are designed in a way that updating orreinstalling packages doesn´t damage the rootkit. The best thing to dois to reinstall new from scratch. In order to do this withoutcomplications I have an own home partition that I can register and reusewith /etc/fstab. If you don´t have that make a

cp -a /home /mnt/usbhdd/home

However that is not all you need to respect. Basically any infectedfile can cause the rootkit to get reinstalled on your computer. That canalso be the case for hidden files in your home directory like/home/sylvain/.*

  I always do it like this:

cd /home/sylvain
ls -lad .[^.]*
mkdir /mnt/usbhdd/hidden-quarantine
mv .[^.]* /mnt/usbhdd/hidden-quarantine


the .[^.]* - expression works like this:

* first match anything that starts with a dot (under Linux hidden filesstart with dots)* second match a character that is not a dot [^.]: This excludes ..which denotes the parent directory. This one should of course not be copied

* third match any from zero up to more characters: *

Make sure that you move away the hidden files before you copy yourhome directory back.Moving away hidden home directory files will also reset your Firefoxbookmarks and saved passwords. If you have progressed this far I cantell you how to reinstall them - and under normal circumstances reusinga database file should not cause a rootkit to reinstall. If you are verythorough you can export the bookmarks as html and write down all savedpasswords on a sheet of paper. You need to know however that getting ridof a rootkit with 100% certainty is hard since basically any binary filecan result in an attack vector.If you have progressed this far, sure I am going to continue to helpyou with setting up a new installation and rescuing bookmarks (at leastfor FF).


Kind Regards,
Elmar

Reply to:

References:
- What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Sylvain <ssecherre@free.fr>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: What is the best free HIDS for Debian
  - From: Elmar Stellnberger <estellnb@elstel.org>

Prev by Date: Re: What is the best free HIDS for Debian
Next by Date: Re: What is the best free HIDS for Debian
Previous by thread: Re: What is the best free HIDS for Debian
Next by thread: Re: What is the best free HIDS for Debian
Index(es):
- Date
- Thread