[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

On 2022-05-09 18:04, Elmar Stellnberger wrote:
Am 09.05.22 um 00:48 schrieb Tomasz Ciolek:
5. have we eliminated other causes of file mismatch - bad/incomplete
updates, corrupted HDD, bad RAM, user error ?

  If exactly such files have been changed where there is reason to
manipulate them for a rootkit then one shall assume unequivocally that
there is a rootkit installed. With bad RAM you get a system crash and
with a physically bad hard disk you get filesystem errors on fsck,

Not always true. I have experienced what looked like creeping file system corruption that was in the end tracked down to bad RAM. it only occred under heavy load when RAM was over-utilised
and then swapped out.

none of which you get with a rootkit where only certain files have
been manipulated intentionally. A broken update could theoretically
result in a singleton file of half the size. Usually running programs

again I have seen bad/partial

keep to use the old version of the file under Linux while newly issued
open operations on the same file name will use the file as replaced by
an update. A file of half the size would however result in an unusable
program, none of which you would usually observe with a rootkit.

I would want to see more info9rmationa botu what diagnostics were
done before I cry rootkit.

But if you wish to err on side of caution, backup your data and rebuild the box.
Then restore the data bit by bit avoiding executables.


Reply to: