[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian

Dear Vitaly

On 5/10/22 05:24, Vitaly Krasheninnikov wrote:
Hi Elmar,
Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system.
In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M".
According to the description on your website, it means the modification of the file permissions, not the actual content.
So while I truly consider the debcheckroot very useful, I think in this case it was a false positive due to the side effects of the postinst scripts of the relevant packages.

Thank you,

Thanks for pointing that out! I have not used the tool for long on my own, so that I forgot about the change indication marker letters. Of course there isn´t much you can say about the modified group and file permission of a file. See here what Sylvain Sécherre had written me in her original email:

On 5/6/22 15:05, Sylvain Sécherre wrote to estellnb@elstel.org,
(BCC possible):
> Hello Elmar,
> ...
> Here's the fileserror.lis:
> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755
> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
> ..._..M /usr/libexec/polkit-agent-helper-1
> ...
> The file filesunverified.lis is very long, while pkgcorrupt.lis is empty.
> I ran debcheckroot on a possibly infected machine.
> Thank you for your help!
> Best regards,
> Sylvain

If debcheckroot was executed inside the infected root file system, then no wonder it can´t find anything. The rootkits I know, and I have discovered and burned several root kits on blue ray, have behaved like this: Inside the root infected executables compare ok against the pristine version, but not so outside the rootkit root when you have a fresh boot. The fact that group and file permissions of these executables have changed could at least be interpreted as suspicious though, since normally I´d truly believe there will be nobody who modifies that.


Reply to: