Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6123
| From | Richard van den Berg <richard@vdberg.org> |
|---|---|
| Newsgroups | linux.debian.security |
| Subject | Re: What is the best free HIDS for Debian |
| Date | 2022-05-10 08:40 +0200 |
| Message-ID | <ElrHk-eup5-3@gated-at.bofh.it> (permalink) |
| References | <EiJ7H-cKEs-3@gated-at.bofh.it> <Ejlwl-d9mK-1@gated-at.bofh.it> <Ek6EV-dDUf-5@gated-at.bofh.it> <EloT7-esCy-1@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
On 10/05/2022 05:37, Vitaly Krasheninnikov wrote: > Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system. > In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M". > According to the description on your website, it means the modification of the file permissions, not the actual content. Thanks a lot for clarifying this. I found the interpretation of the results of debcheckroot at https://www.elstel.org/debcheckroot/ On 06/05/2022 15:52, Elmar Stellnberger wrote: > Am 06.05.22 um 15:05 schrieb Sylvain Sécherre: > > Here's the fileserror.lis: > > ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755 > > ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root > 755 > > ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755 > > ... > > I hope you won´t mind that I am citing the output of debcheckroot > you have given me. > These three files point to an infection with a rootkit. Don´t care > about modified configuration files like in /etc too much (but you may > still have a look at them). Executable files on the other hand must > never be modified. If these three files are different it means that > someone has altered your system. If you look at the man pages of these > executables then you also know that a maker of a rootkit would have > interest to modify exactly these files. Since you are the author of the debcheckroot tool, why do you think that the G (group) and M (mode) flags indicate the content of the files were altered? Or did you make a mistake and forgot what the output of debcheckroot actually means? If so, does this change your opinion that a rootkit is installed on this system? Kind regards, Richard
Back to linux.debian.security | Previous | Next — Previous in thread | Next in thread | Find similar
What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-02 20:40 +0200
Re: What is the best free HIDS for Debian Hannes von Haugwitz <hannes@vonhaugwitz.com> - 2022-05-02 21:00 +0200
Re: What is the best free HIDS for Debian "Dave P." <dprowseus@gmail.com> - 2022-05-02 21:10 +0200
Re: What is the best free HIDS for Debian Gianluca Gabrielli <ggabrielli@suse.de> - 2022-05-02 21:10 +0200
Re: What is the best free HIDS for Debian "Darren S." <phatbuckett@gmail.com> - 2022-05-02 21:50 +0200
Re: What is the best free HIDS for Debian mlnl <mlnl@mailbox.org> - 2022-05-03 06:30 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-03 14:40 +0200
Re: What is the best free HIDS for Debian Jonathan Hutchins <hutchins@tarcanfel.org> - 2022-05-03 15:10 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-03 15:30 +0200
Re: What is the best free HIDS for Debian Marc Haber <mh+debian-security@zugschlus.de> - 2022-05-04 10:10 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-04 13:40 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:00 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-06 16:20 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-08 17:20 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:30 +0200
Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 20:50 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-08 20:50 +0200
Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:20 +0200
Re: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-08 21:50 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 00:30 +0200
Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 01:00 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 10:10 +0200
Re: What is the best free HIDS for Debian Michael Lazin <microlaser@gmail.com> - 2022-05-09 12:50 +0200
Re: What is the best free HIDS for Debian tmc@vandradlabs.com.au - 2022-05-09 13:40 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-09 14:00 +0200
Re: What is the best free HIDS for Debian Tomasz Ciolek <tmc@vandradlabs.com.au> - 2022-05-09 15:30 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:30 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-08 20:40 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-13 16:30 +0200
Re: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-16 12:00 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-16 13:10 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-17 12:00 +0200
Re: What is the best free HIDS for Debian Vitaly Krasheninnikov <iam@krushik.ru> - 2022-05-10 05:40 +0200
Re: What is the best free HIDS for Debian Richard van den Berg <richard@vdberg.org> - 2022-05-10 08:40 +0200
Re: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-11 17:50 +0200
csiph-web