Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6107

Re: What is the best free HIDS for Debian

From Elmar Stellnberger <estellnb@elstel.org>
Newsgroups linux.debian.security
Subject Re: What is the best free HIDS for Debian
Date 2022-05-08 20:30 +0200
Message-ID <EkTPj-e92s-13@gated-at.bofh.it> (permalink)
References <EiJ7H-cKEs-3@gated-at.bofh.it> <Ejlwl-d9mK-1@gated-at.bofh.it> <Ek6EV-dDUf-5@gated-at.bofh.it> <Ek6Yh-dEgS-3@gated-at.bofh.it> <EkTPj-e92s-15@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

On 08.05.22 16:51, Sylvain Sécherre wrote:
> I thought a lot about your answer and I feel a bit tricky... I 
> understand what you're writing but I don't know how to do this.
> 
> Do you think I can simply get rid of these rootkit? I've tried to move 
> the file "crontab" in a safe place and then reinstall the package cron. 
> The new "crontab" file seems to be the same as the previous since the 
> md5 are equal, but debcheckroot still throws an error for it...
> 
Dear Sylvain

   No, I don´t think you can get rid of the rootkit by reinstalling a 
package. Usually rootkits are designed in a way that updating or 
reinstalling packages doesn´t damage the rootkit. The best thing to do 
is to reinstall new from scratch. In order to do this without 
complications I have an own home partition that I can register and reuse 
with /etc/fstab. If you don´t have that make a

> cp -a /home /mnt/usbhdd/home

   However that is not all you need to respect. Basically any infected 
file can cause the rootkit to get reinstalled on your computer. That can 
also be the case for hidden files in your home directory like 
/home/sylvain/.*
   I always do it like this:

> cd /home/sylvain
> ls -lad .[^.]*
> mkdir /mnt/usbhdd/hidden-quarantine
> mv .[^.]* /mnt/usbhdd/hidden-quarantine

the .[^.]* - expression works like this:
* first match anything that starts with a dot (under Linux hidden files 
start with dots)
* second match a character that is not a dot [^.]: This excludes .. 
which denotes the parent directory. This one should of course not be copied
* third match any from zero up to more characters: *

   Make sure that you move away the hidden files before you copy your 
home directory back.
   Moving away hidden home directory files will also reset your Firefox 
bookmarks and saved passwords. If you have progressed this far I can 
tell you how to reinstall them - and under normal circumstances reusing 
a database file should not cause a rootkit to reinstall. If you are very 
thorough you can export the bookmarks as html and write down all saved 
passwords on a sheet of paper. You need to know however that getting rid 
of a rootkit with 100% certainty is hard since basically any binary file 
can result in an attack vector.
   If you have progressed this far, sure I am going to continue to help 
you with setting up a new installation and rescuing bookmarks (at least 
for FF).

Kind Regards,
Elmar

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
  Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
  Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
  Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
    Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
    Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
    Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
        Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
          Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
            Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
              Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
                Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
              Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
                Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
          Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
            Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
      Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
        Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200

csiph-web