Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6110

Re: What is the best free HIDS for Debian

From Elmar Stellnberger <estellnb@elstel.org>
Newsgroups linux.debian.security
Subject Re: What is the best free HIDS for Debian
Date 2022-05-08 20:40 +0200
Message-ID <EkTYZ-e95f-1@gated-at.bofh.it> (permalink)
References (1 earlier) <Ejlwl-d9mK-1@gated-at.bofh.it> <Ek6EV-dDUf-5@gated-at.bofh.it> <Ek6Yh-dEgS-3@gated-at.bofh.it> <EkTPj-e92s-15@gated-at.bofh.it> <EkTYZ-e95f-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Hi Sylvain

   If you also care about the package selection you have installed you 
may do a 'dpkg -l' or copy /var/lib/dpkg/status. Possibly I will write 
something to clean the status file from packages that will be installed 
implicitly as dependency. Under Mageia you can use urpmi_rpm-find-leaves 
for that. Possibly also ask at a Debian mailing list (and tell me about it).
   I also forgot that you should possibly
> cp -a /etc /media/usbdisk
   to save configuration files for later lookup. The /etc directory is 
not that big and you can copy it.

Elmar


On 08.05.22 17:15, Elmar Stellnberger wrote:
> On 08.05.22 16:51, Sylvain Sécherre wrote:
>> I thought a lot about your answer and I feel a bit tricky... I 
>> understand what you're writing but I don't know how to do this.
>>
>> Do you think I can simply get rid of these rootkit? I've tried to move 
>> the file "crontab" in a safe place and then reinstall the package 
>> cron. The new "crontab" file seems to be the same as the previous 
>> since the md5 are equal, but debcheckroot still throws an error for it...
>>
> Dear Sylvain
> 
>    No, I don´t think you can get rid of the rootkit by reinstalling a 
> package. Usually rootkits are designed in a way that updating or 
> reinstalling packages doesn´t damage the rootkit. The best thing to do 
> is to reinstall new from scratch. In order to do this without 
> complications I have an own home partition that I can register and reuse 
> with /etc/fstab. If you don´t have that make a
> 
>  > cp -a /home /mnt/usbhdd/home
> 
>    However that is not all you need to respect. Basically any infected 
> file can cause the rootkit to get reinstalled on your computer. That can 
> also be the case for hidden files in your home directory like 
> /home/sylvain/.*
>    I always do it like this:
> 
>  > cd /home/sylvain
>  > ls -lad .[^.]*
>  > mkdir /mnt/usbhdd/hidden-quarantine
>  > mv .[^.]* /mnt/usbhdd/hidden-quarantine
> 
> the .[^.]* - expression works like this:
> * first match anything that starts with a dot (under Linux hidden files 
> start with dots)
> * second match a character that is not a dot [^.]: This excludes .. 
> which denotes the parent directory. This one should of course not be copied
> * third match any from zero up to more characters: *
> 
>    Make sure that you move away the hidden files before you copy your 
> home directory back.
>    Moving away hidden home directory files will also reset your Firefox 
> bookmarks and saved passwords. If you have progressed this far I can 
> tell you how to reinstall them - and under normal circumstances reusing 
> a database file should not cause a rootkit to reinstall. If you are very 
> thorough you can export the bookmarks as html and write down all saved 
> passwords on a sheet of paper. You need to know however that getting rid 
> of a rootkit with 100% certainty is hard since basically any binary file 
> can result in an attack vector.
>    If you have progressed this far, sure I am going to continue to help 
> you with setting up a new installation and rescuing bookmarks (at least 
> for FF).
> 
> Kind Regards,
> Elmar
> 
> 
> 
> 
>

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
  Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
  Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
  Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
  Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
    Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
    Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
  Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
    Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
        Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
          Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
            Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
              Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
                Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
              Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
                Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
                Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
                Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
                Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
        Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
          Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
            Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
              Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
      Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
        Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
      Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200

csiph-web