Re: What is the best free HIDS for Debian

[Elmar Stellnberger <estellnb@elstel.org>]

Hi Sylvain

  If you also care about the package selection you have installed you 
may do a 'dpkg -l' or copy /var/lib/dpkg/status. Possibly I will write 
something to clean the status file from packages that will be installed 
implicitly as dependency. Under Mageia you can use urpmi_rpm-find-leaves 
for that. Possibly also ask at a Debian mailing list (and tell me about it).
  I also forgot that you should possibly
> cp -a /etc /media/usbdisk
  to save configuration files for later lookup. The /etc directory is 
not that big and you can copy it.

Elmar


On 08.05.22 17:15, Elmar Stellnberger wrote:
> On 08.05.22 16:51, Sylvain Sécherre wrote:
> > I thought a lot about your answer and I feel a bit tricky... I 
> > understand what you're writing but I don't know how to do this.
> >
> > Do you think I can simply get rid of these rootkit? I've tried to move 
> > the file "crontab" in a safe place and then reinstall the package 
> > cron. The new "crontab" file seems to be the same as the previous 
> > since the md5 are equal, but debcheckroot still throws an error for it...
> Dear Sylvain
>
>    No, I don´t think you can get rid of the rootkit by reinstalling a 
> package. Usually rootkits are designed in a way that updating or 
> reinstalling packages doesn´t damage the rootkit. The best thing to do 
> is to reinstall new from scratch. In order to do this without 
> complications I have an own home partition that I can register and reuse 
> with /etc/fstab. If you don´t have that make a
>
>  > cp -a /home /mnt/usbhdd/home
>
>    However that is not all you need to respect. Basically any infected 
> file can cause the rootkit to get reinstalled on your computer. That can 
> also be the case for hidden files in your home directory like 
> /home/sylvain/.*
>    I always do it like this:
>
>  > cd /home/sylvain
>  > ls -lad .[^.]*
>  > mkdir /mnt/usbhdd/hidden-quarantine
>  > mv .[^.]* /mnt/usbhdd/hidden-quarantine
>
> the .[^.]* - expression works like this:
> * first match anything that starts with a dot (under Linux hidden files 
> start with dots)
> * second match a character that is not a dot [^.]: This excludes .. 
> which denotes the parent directory. This one should of course not be copied
> * third match any from zero up to more characters: *
>
>    Make sure that you move away the hidden files before you copy your 
> home directory back.
>    Moving away hidden home directory files will also reset your Firefox 
> bookmarks and saved passwords. If you have progressed this far I can 
> tell you how to reinstall them - and under normal circumstances reusing 
> a database file should not cause a rootkit to reinstall. If you are very 
> thorough you can export the bookmarks as html and write down all saved 
> passwords on a sheet of paper. You need to know however that getting rid 
> of a rootkit with 100% certainty is hard since basically any binary file 
> can result in an attack vector.
>    If you have progressed this far, sure I am going to continue to help 
> you with setting up a new installation and rescuing bookmarks (at least 
> for FF).
>
> Kind Regards,
> Elmar