Path: csiph.com!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod From: Michael Lazin Newsgroups: linux.debian.security Subject: Re: What is the best free HIDS for Debian Date: Sun, 08 May 2022 20:30:01 +0200 Message-ID: References: X-Mailbox-Line: From debian-security-request@lists.debian.org Sun May 8 18:21:46 2022 Old-Return-Path: X-Amavis-Spam-Status: No, score=-3.609 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_8BITS=1.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AOAM531u5XDkOkhflzLcvWljX6+xOt7F+YZ4FjZYX6sFlKAhoaR1ANiw 0QCouE6ZwjVxUgAVYtCqNEra1cK6iO4964OUbNPZnsUZ X-Google-SMTP-Source: ABdhPJzwekKUmKF6MShk8/qoY1OvWLGRQzwaaVLNHMEbKvR7QAMo7kGMPGxTM/U98Fsu3cJw6wuOPX0c7p/k1/pcb34= X-Received: by 2002:a50:a6c8:0:b0:428:5b3a:6c99 with SMTP id f8-20020a50a6c8000000b004285b3a6c99mr12819498edc.222.1652034091181; Sun, 08 May 2022 11:21:31 -0700 (PDT) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000296abe05de84291b" X-Mailing-List: archive/latest/29259 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/CALdcr8d8tq49E2+UE1khcb5YKKJP+FWTiLtnObQ7L5+afFJwxg@mail.gmail.com Approved: robomod@news.nic.it Lines: 148 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Sun, 8 May 2022 14:21:20 -0400 X-Original-Message-ID: X-Original-References: <62701ec7$0$18715$426a34cc@news.free.fr> <627260e6$0$24819$426a74cc@news.free.fr> <7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <42898050-0dea-3cfb-3462-0a58452182e5@elstel.org> <6277d936$0$22287$426a74cc@news.free.fr> Xref: csiph.com linux.debian.security:6109 --000000000000296abe05de84291b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I think if you have a root kit it is very unlikely to get rid of it without backing up and reimaging but you may be able to achieve it if you try first rkhunter and second apparmor which is similar to selinux which was developed by the nsa and made accessible as a Red Hat package. Both solutions have the ability to limit what root can do and is your only real option for saving a rooted system. It is important that if you try this that you dump your memory rkunter picks up a memory anomaly. Fileless malware is popular among sophisticated threat actors and rkhunter is equipped to find malware that resides in memory. Apparmor is included in Debian. Thanks, Michael Lazin On Sun, May 8, 2022 at 11:18 AM Sylvain wrote: > Dear Elmar, > > Thank you for your help. I really appreciate very much. > > I thought a lot about your answer and I feel a bit tricky... I > understand what you're writing but I don't know how to do this. > > Do you think I can simply get rid of these rootkit? I've tried to move > the file "crontab" in a safe place and then reinstall the package cron. > The new "crontab" file seems to be the same as the previous since the > md5 are equal, but debcheckroot still throws an error for it... > > Regards > > Sylvain > > Le 06/05/2022 =C3=A0 16:20, Elmar Stellnberger a =C3=A9crit : > > Dear Sylvain > > > > The next thing I would do is create a timeline. Mount the partition wit= h > > noatime so that access times are preserved as they are on new file > > operations and then let find output access, modification and creation > > time of all files. Look on when these three executables have been > > modified/created and then search back on what has happened at the > > earliest time right before the rootkit has been installed. Once I > > analysed a system of mine like this and found out that some suspicious > > files had been uploaded in the ~/.skype directory. If I remember back I > > think I had used vim for it but it should also be possible to use sth. > > like sort. > > > > Regards > > E. > > -- Michael Lazin .. =CF=84=E1=BD=B8 =CE=B3=E1=BD=B0=CF=81 =CE=B1=E1=BD=90=CF=84=E1=BD=B8 =CE= =BD=CE=BF=CE=B5=E1=BF=96=CE=BD =E1=BC=90=CF=83=CF=84=CE=AF=CE=BD =CF=84=CE= =B5 =CE=BA=CE=B1=E1=BD=B6 =CE=B5=E1=BC=B6=CE=BD=CE=B1=CE=B9. --000000000000296abe05de84291b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I think if you have a root kit it is very unlikely t= o get rid of it without backing up and reimaging but you may be able to ach= ieve it if you try first rkhunter and second apparmor which is similar to s= elinux which was developed by the nsa and made accessible as a Red Hat pack= age.=C2=A0 Both solutions have the ability to limit what root can do and is= your only real option for saving a rooted system.=C2=A0 It is important th= at if you try this that you dump your memory rkunter picks up a memory anom= aly.=C2=A0 Fileless malware is popular among sophisticated threat actors an= d rkhunter is equipped to find malware that resides in memory.=C2=A0 Apparm= or is included in Debian.

Thanks,

Michael Lazin<= /div>

On Sun, May 8, 2022 at 11:18 AM Sylvain <ssecherre@free.fr> wrote:
Dear Elmar,

Thank you for your help. I really appreciate very much.

I thought a lot about your answer and I feel a bit tricky... I
understand what you're writing but I don't know how to do this.

Do you think I can simply get rid of these rootkit? I've tried to move =
the file "crontab" in a safe place and then reinstall the package= cron.
The new "crontab" file seems to be the same as the previous since= the
md5 are equal, but debcheckroot still throws an error for it...

Regards

Sylvain

Le 06/05/2022 =C3=A0 16:20, Elmar Stellnberger a =C3=A9crit=C2=A0:
> Dear Sylvain
>
> The next thing I would do is create a timeline. Mount the partition wi= th
> noatime so that access times are preserved as they are on new file > operations and then let find output access, modification and creation =
> time of all files. Look on when these three executables have been
> modified/created and then search back on what has happened at the
> earliest time right before the rootkit has been installed. Once I
> analysed a system of mine like this and found out that some suspicious=
> files had been uploaded in the ~/.skype directory. If I remember back = I
> think I had used vim for it but it should also be possible to use sth.=
> like sort.
>
> Regards
> E.

--
Michael Lazin

.. =CF=84=E1=BD=B8 =CE=B3=E1=BD=B0=CF=81 =CE=B1=E1=BD=90=CF=84=E1=BD=B8 =CE=BD=CE=BF=CE=B5=E1=BF=96=CE=BD =E1=BC=90=CF=83=CF=84=CE=AF= =CE=BD =CF=84=CE= =B5 =CE=BA=CE=B1= =E1=BD=B6 =CE=B5= =E1=BC=B6=CE=BD=CE=B1=CE=B9.
=
--000000000000296abe05de84291b--