Path: csiph.com!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod From: Elmar Stellnberger Newsgroups: linux.debian.security Subject: Re: What is the best free HIDS for Debian Date: Sun, 08 May 2022 20:40:01 +0200 Message-ID: References: X-Mailbox-Line: From debian-security-request@lists.debian.org Sun May 8 18:30:12 2022 Old-Return-Path: X-Amavis-Spam-Status: No, score=-9.465 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, NICE_REPLY_A=-3.247, RCVD_IN_DNSWL_LOW=-0.7, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailing-List: archive/latest/29262 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/4c83923c-b291-82d5-3799-fd06b1c279d4@elstel.org Approved: robomod@news.nic.it Lines: 75 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-security X-Original-Date: Sun, 8 May 2022 17:20:27 +0200 X-Original-Message-ID: <4c83923c-b291-82d5-3799-fd06b1c279d4@elstel.org> X-Original-References: <62701ec7$0$18715$426a34cc@news.free.fr> <627260e6$0$24819$426a74cc@news.free.fr> <7848bfca-3955-dd96-3aff-f454d1e28315@elstel.org> <42898050-0dea-3cfb-3462-0a58452182e5@elstel.org> <8135fc53-727b-4cf5-1811-8bbd521f395b@free.fr> Xref: csiph.com linux.debian.security:6110 Hi Sylvain If you also care about the package selection you have installed you may do a 'dpkg -l' or copy /var/lib/dpkg/status. Possibly I will write something to clean the status file from packages that will be installed implicitly as dependency. Under Mageia you can use urpmi_rpm-find-leaves for that. Possibly also ask at a Debian mailing list (and tell me about it). I also forgot that you should possibly > cp -a /etc /media/usbdisk to save configuration files for later lookup. The /etc directory is not that big and you can copy it. Elmar On 08.05.22 17:15, Elmar Stellnberger wrote: > On 08.05.22 16:51, Sylvain Sécherre wrote: >> I thought a lot about your answer and I feel a bit tricky... I >> understand what you're writing but I don't know how to do this. >> >> Do you think I can simply get rid of these rootkit? I've tried to move >> the file "crontab" in a safe place and then reinstall the package >> cron. The new "crontab" file seems to be the same as the previous >> since the md5 are equal, but debcheckroot still throws an error for it... >> > Dear Sylvain > >   No, I don´t think you can get rid of the rootkit by reinstalling a > package. Usually rootkits are designed in a way that updating or > reinstalling packages doesn´t damage the rootkit. The best thing to do > is to reinstall new from scratch. In order to do this without > complications I have an own home partition that I can register and reuse > with /etc/fstab. If you don´t have that make a > > > cp -a /home /mnt/usbhdd/home > >   However that is not all you need to respect. Basically any infected > file can cause the rootkit to get reinstalled on your computer. That can > also be the case for hidden files in your home directory like > /home/sylvain/.* >   I always do it like this: > > > cd /home/sylvain > > ls -lad .[^.]* > > mkdir /mnt/usbhdd/hidden-quarantine > > mv .[^.]* /mnt/usbhdd/hidden-quarantine > > the .[^.]* - expression works like this: > * first match anything that starts with a dot (under Linux hidden files > start with dots) > * second match a character that is not a dot [^.]: This excludes .. > which denotes the parent directory. This one should of course not be copied > * third match any from zero up to more characters: * > >   Make sure that you move away the hidden files before you copy your > home directory back. >   Moving away hidden home directory files will also reset your Firefox > bookmarks and saved passwords. If you have progressed this far I can > tell you how to reinstall them - and under normal circumstances reusing > a database file should not cause a rootkit to reinstall. If you are very > thorough you can export the bookmarks as html and write down all saved > passwords on a sheet of paper. You need to know however that getting rid > of a rootkit with 100% certainty is hard since basically any binary file > can result in an attack vector. >   If you have progressed this far, sure I am going to continue to help > you with setting up a new installation and rescuing bookmarks (at least > for FF). > > Kind Regards, > Elmar > > > > >