Re: What is the best free HIDS for Debian
Dear Elmar,
Thank you for your help. I really appreciate very much.
I thought a lot about your answer and I feel a bit tricky... I
understand what you're writing but I don't know how to do this.
Do you think I can simply get rid of these rootkit? I've tried to move
the file "crontab" in a safe place and then reinstall the package cron.
The new "crontab" file seems to be the same as the previous since the
md5 are equal, but debcheckroot still throws an error for it...
Regards
Sylvain
Le 06/05/2022 à 16:20, Elmar Stellnberger a écrit :
Dear Sylvain
The next thing I would do is create a timeline. Mount the partition with
noatime so that access times are preserved as they are on new file
operations and then let find output access, modification and creation
time of all files. Look on when these three executables have been
modified/created and then search back on what has happened at the
earliest time right before the rootkit has been installed. Once I
analysed a system of mine like this and found out that some suspicious
files had been uploaded in the ~/.skype directory. If I remember back I
think I had used vim for it but it should also be possible to use sth.
like sort.
Regards
E.
Reply to: