[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best free HIDS for Debian



Sylvain,

I just wanna warn you that there is a hardware backdoor in x86 computers. Using that you won´t see any manipulation; like from a fresh install. See: https://www.elstel.org/uni/ DualSat master thesis, Epilogue, point 6 (as far as I remember, or last point).

Also please don´t re-send private emails like this one as new to debian-security. People will misinterpret your emails if they do not know the whole conversation.

Elmar

P.S.: If emailing does not work for you, you can call me via phone, usually on Tuesday, Wednesday and Thursday, but not this/next week; see elstel.org/Contact.html. FAX is also a possibility.


Am 16.05.22 um 12:34 schrieb Elmar Stellnberger:
Dear Sylvain

  That does not expose any rootkit. It is of course possible that the rootkit had already been deinstalled when you ran the test. Basically if you have suspicion you would need to unplug any physical connection. You could run an update before if you think the rootkiter has no reason to suspect what you will do next.   I have discovered my first rootkit by installing offline merely from DVD, without updates. Then I installed again on a plain media and compared file for file (with a program called dircmp that I have not published yet). Afterwards I decided to write debcheckroot and that time it made me discover some more rootkits which I had burnt on blue ray along with the good files/packages to save evidence.

Yours,
Elmar


Am 16.05.22 um 11:38 schrieb Sylvain:
Hello,

Here's the result of debcheckroot on an entirely fresh install of debian, without any access to the internet from a browser or a mail client. I only:
- ran "apt update" to test my internet connection
- copied files on a USB stick

Here's the fileserror.lis:

..._..M /usr/libexec/polkit-agent-helper-1 policykit-1_0.105-31+deb11u1_amd64 root root 755
..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755
..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
.._L... /usr/share/dict/words american-english wamerican_2019.10.06-1_all root root 777 ..._.GM /usr/lib/dbus-1.0/dbus-daemon-launch-helper dbus_1.12.20-2_amd64 root root 755
_.C_... /var/lib/aspell/en-common.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en-variant_0.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en-variant_1.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en-variant_2.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en-w_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en-wo_accents-only.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en.compat aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_AU-variant_0.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_AU-variant_1.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_AU-w_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en_AU-wo_accents-only.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_CA-variant_0.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_CA-variant_1.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_CA-w_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en_CA-wo_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en_GB-ise-w_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en_GB-ise-wo_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en_GB-ize-w_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en_GB-ize-wo_accents-only.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_GB-variant_0.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_GB-variant_1.rws aspell-en_2018.04.16-0-1_all
_.C_... /var/lib/aspell/en_US-w_accents-only.rws aspell-en_2018.04.16-0-1_all _.C_... /var/lib/aspell/en_US-wo_accents-only.rws aspell-en_2018.04.16-0-1_all
..._..M /bin/fusermount fuse_2.9.9-5_amd64 root root 755
..._..M /bin/ntfs-3g ntfs-3g_1:2017.3.23AR.3-4+deb11u1_amd64 root root 755
_.._..M /etc/sudoers sudo_1.9.5p2-3_amd64 root root 644

Greetings,
Sylvain



Reply to: