[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

Am 09.05.22 um 13:34 schrieb tmc@vandradlabs.com.au:

On 2022-05-09 18:04, Elmar Stellnberger wrote:
Am 09.05.22 um 00:48 schrieb Tomasz Ciolek:
5. have we eliminated other causes of file mismatch - bad/incomplete
updates, corrupted HDD, bad RAM, user error ?

  If exactly such files have been changed where there is reason to
manipulate them for a rootkit then one shall assume unequivocally that
there is a rootkit installed. With bad RAM you get a system crash and
with a physically bad hard disk you get filesystem errors on fsck,

Yes, bad cache ram written on a hard disk can at least by theory result in corrupted files on disk. If you read what I have written then you see my argument that then the whole program would have become unusable which is not the case for our example. Also I want to add that bad ram just causing file corruptions but no crash is somewhat very unlikely.

Not always true. I have experienced what looked like creeping file system corruption that was in the end tracked down to bad RAM. it only occred under heavy load when RAM was over-utilised
and then swapped out.

As said, I don´t really believe on what you tell here. By theory non-ECC ram can have errors, but these are very rare. Damaged ram on the other hand is damaged independent of the system load and it usually causes more severe/obvious effects. The probability that a corrupt ram block affects only block data but no kernel data structures is not that high as these tend to be interleaved.

none of which you get with a rootkit where only certain files have
been manipulated intentionally. A broken update could theoretically
result in a singleton file of half the size. Usually running programs

again I have seen bad/partial

An update can only leave a partial file that is a prefix of an original file, never a corrupted one. That is, if you read, what I have told. All modern Linux filesystems use journalling and there will be no corruption like eventually on old Windows machines.

> I would want to see more info9rmationa botu what diagnostics were
> done before I cry rootkit.

You are one of the people who want to tell people that they are not infected by a rootkit, when they obviously are. My recommendation for everyone is, care not to trust such people! Besides this I have requested Sylvain to collect more information, as this can still be interesting.

Reply to: