Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6103
| From | Elmar Stellnberger <estellnb@elstel.org> |
|---|---|
| Newsgroups | linux.debian.security |
| Subject | Re: What is the best free HIDS for Debian |
| Date | 2022-05-06 16:00 +0200 |
| Message-ID | <Ek6EV-dDUf-5@gated-at.bofh.it> (permalink) |
| References | <EiJ7H-cKEs-3@gated-at.bofh.it> <Ejlwl-d9mK-1@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
Dear Sylvain Am 04.05.22 um 13:17 schrieb Sylvain: > I've just tried debcheckroot too. It throws error. I'll try to fix them. Am 06.05.22 um 15:05 schrieb Sylvain Sécherre: > Here's the fileserror.lis: > ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755 > ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755 > ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755 > ... I hope you won´t mind that I am citing the output of debcheckroot you have given me. These three files point to an infection with a rootkit. Don´t care about modified configuration files like in /etc too much (but you may still have a look at them). Executable files on the other hand must never be modified. If these three files are different it means that someone has altered your system. If you look at the man pages of these executables then you also know that a maker of a rootkit would have interest to modify exactly these files. > The file filesunverified.lis is very long, while pkgcorrupt.lis is empty. If you have updated your system some time ago and there are newer versions on the update server now then debcheckroot can certainly not find these packages any more. You could try to update your system and then verify again. Normally the rootkit will persist. However connecting your computer to a network may be detrimental since the rootkit owner may simply uninstall his rootkit once he knows that his malware has been discovered. I would at least save suspicious executables first and additionally the packages with known good of the same version. Regards, Elmar
Back to linux.debian.security | Previous | Next — Previous in thread | Next in thread | Find similar
What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200
csiph-web