[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

Hi Sylvain

If you also care about the package selection you have installed you may do a 'dpkg -l' or copy /var/lib/dpkg/status. Possibly I will write something to clean the status file from packages that will be installed implicitly as dependency. Under Mageia you can use urpmi_rpm-find-leaves for that. Possibly also ask at a Debian mailing list (and tell me about it).
  I also forgot that you should possibly
cp -a /etc /media/usbdisk
to save configuration files for later lookup. The /etc directory is not that big and you can copy it.


On 08.05.22 17:15, Elmar Stellnberger wrote:
On 08.05.22 16:51, Sylvain Sécherre wrote:
I thought a lot about your answer and I feel a bit tricky... I understand what you're writing but I don't know how to do this.

Do you think I can simply get rid of these rootkit? I've tried to move the file "crontab" in a safe place and then reinstall the package cron. The new "crontab" file seems to be the same as the previous since the md5 are equal, but debcheckroot still throws an error for it...

Dear Sylvain

  No, I don´t think you can get rid of the rootkit by reinstalling a package. Usually rootkits are designed in a way that updating or reinstalling packages doesn´t damage the rootkit. The best thing to do is to reinstall new from scratch. In order to do this without complications I have an own home partition that I can register and reuse with /etc/fstab. If you don´t have that make a

 > cp -a /home /mnt/usbhdd/home

  However that is not all you need to respect. Basically any infected file can cause the rootkit to get reinstalled on your computer. That can also be the case for hidden files in your home directory like /home/sylvain/.*
   I always do it like this:

 > cd /home/sylvain
 > ls -lad .[^.]*
 > mkdir /mnt/usbhdd/hidden-quarantine
 > mv .[^.]* /mnt/usbhdd/hidden-quarantine

the .[^.]* - expression works like this:
* first match anything that starts with a dot (under Linux hidden files start with dots) * second match a character that is not a dot [^.]: This excludes .. which denotes the parent directory. This one should of course not be copied
* third match any from zero up to more characters: *

  Make sure that you move away the hidden files before you copy your home directory back.   Moving away hidden home directory files will also reset your Firefox bookmarks and saved passwords. If you have progressed this far I can tell you how to reinstall them - and under normal circumstances reusing a database file should not cause a rootkit to reinstall. If you are very thorough you can export the bookmarks as html and write down all saved passwords on a sheet of paper. You need to know however that getting rid of a rootkit with 100% certainty is hard since basically any binary file can result in an attack vector.   If you have progressed this far, sure I am going to continue to help you with setting up a new installation and rescuing bookmarks (at least for FF).

Kind Regards,

Reply to: