[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

On 10/05/2022 05:37, Vitaly Krasheninnikov wrote:

Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system.
In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M".
According to the description on your website, it means the modification of the file permissions, not the actual content.

Thanks a lot for clarifying this. I found the interpretation of the results of debcheckroot at https://www.elstel.org/debcheckroot/

On 06/05/2022 15:52, Elmar Stellnberger wrote:
Am 06.05.22 um 15:05 schrieb Sylvain Sécherre:
> Here's the fileserror.lis:
> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755
> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
> ...

  I hope you won´t mind that I am citing the output of debcheckroot you have given me.   These three files point to an infection with a rootkit. Don´t care about modified configuration files like in /etc too much (but you may still have a look at them). Executable files on the other hand must never be modified. If these three files are different it means that someone has altered your system. If you look at the man pages of these executables then you also know that a maker of a rootkit would have interest to modify exactly these files.

Since you are the author of the debcheckroot tool, why do you think that the G (group) and M (mode) flags indicate the content of the files were altered? Or did you make a mistake and forgot what the output of debcheckroot actually means? If so, does this change your opinion that a rootkit is installed on this system?

Kind regards,


Reply to: