Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6126

Fwd: Re: Fwd: What is the best free HIDS for Debian

Show key headers only | View raw

Michael Lazin had published a private email between me an Sylvain 
Sécherre. It means he is an NSA guy, since he had access to a wiretapped 
conversation.

https://lists.debian.org/debian-security/2022/05/msg00018.html

-------- Originalnachricht --------
Betreff: Re: Fwd: What is the best free HIDS for Debian
Datum: 12.05.2022 12:53
Von: Sylvain Sécherre <ssecherre@free.fr>
An: Elmar Stellnberger <estellnb@elstel.org>



Dear Elmar,

Don't worry about this, feel free to cite me if you want, even if it was
a private mail.

However, I'd prefer posting on usenet because it's a sharing attitude!
So, if you don't mind, let's continue this topic on
linux.debian.security.

Best regards,

Sylvain
-------------------------

Le 11/05/2022 à 18:45, Elmar Stellnberger a écrit :

> Dear Sylvain
> 
> When you first wrote to me asking for help I saw that the email was
> only addressed to me and I wanted to keep our conversation
> confidential. However then I got the email I am forwarding you now
> from below cited by Miachel Lazin (read here:
> https://lists.debian.org/debian-security/2022/05/msg00018.html)
> publicly on the list so that I got to believe that you had
> intentionally made the conversation public. Now I have checked the
> email in my Inbox again and the headers say that I am the only
> addresse, if there was no BCC by you. If your writings were public, so
> why did I keep my own ones confidential then? When I noticed I re-sent
> my emails with the same sending date of before but now also to
> debian-security@lists.debian.org.
> The more I think about it, the more I am prone to believe that
> Michael Lazin could be an NSA guy who has published a mail, which both
> of us wanted to keep confidential. If this has happened, please excuse
> my re-sending of our private emails publicly to the debian-security
> list! If I err in what I have started to believe now, please do also
> clarify that for me.
> 
> to put it in short: An email adressed privately to me has appeared on
> the debian-security list, and if you haven´t used BCC to yield this,
> then it means that M.L. was the one who has wiretapped and published
> an email meant to be confidential. If he did and I have made emails
> public because of this which you didn´t want to have public, then my
> sincere excuse for what has happened here!
> 
> Best Regards,
> Elmar
> 
> -------- Forwarded Message --------
> Subject:     Re: What is the best free HIDS for Debian
> Date:     Sun, 8 May 2022 16:51:46 +0200
> From:     Sylvain Sécherre <ssecherre@free.fr>
> To:     Elmar Stellnberger <estellnb@elstel.org>
> 
> Dear Elmar,
> 
> Thank you for your help. I really appreciate very much.
> 
> I thought a lot about your answer and I feel a bit tricky... I
> understand what you're writing but I don't know how to do this.
> 
> Do you think I can simply get rid of these rootkit? I've tried to move
> the file "crontab" in a safe place and then reinstall the package
> cron. The new "crontab" file seems to be the same as the previous
> since the md5 are equal, but debcheckroot still throws an error for
> it...
> 
> Regards
> 
> Sylvain
> 
> 
------------------------------------------------------------------------
> 
> 
> Le 06/05/2022 à 16:13, Elmar Stellnberger a écrit :
> Dear Sylvain
> 
> The next thing I would do is create a timeline. Mount the partition
> with noatime so that access times are preserved as they are on new
> file operations and then let find output access, modification and
> creation time of all files. Look on when these three executables have
> been modified/created and then search back on what has happened at the
> earliest time right before the rootkit has been installed. Once I
> analysed a system of mine like this and found out that some suspicious
> files had been uploaded in the ~/.skype directory. If I remember back
> I think I had used vim for it but it should also be possible to use
> sth. like sort.
> 
> Regards
> E.
> 
> Am 06.05.22 um 15:52 schrieb Elmar Stellnberger:
> Dear Sylvain
> 
> Am 04.05.22 um 13:17 schrieb Sylvain:
> I've just tried debcheckroot too. It throws error. I'll try to fix
> them.
> 
> Am 06.05.22 um 15:05 schrieb Sylvain Sécherre:
>> Here's the fileserror.lis:
>> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
>> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root
> root 755
>> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root
> 755
>> ...
> 
> I hope you won´t mind that I am citing the output of debcheckroot
> you have given me.
> These three files point to an infection with a rootkit. Don´t care
> about modified configuration files like in /etc too much (but you may
> still have a look at them). Executable files on the other hand must
> never be modified. If these three files are different it means that
> someone has altered your system. If you look at the man pages of these
> executables then you also know that a maker of a rootkit would have
> interest to modify exactly these files.
> 
>> The file filesunverified.lis is very long, while pkgcorrupt.lis is
> empty.
> 
> If you have updated your system some time ago and there are newer
> versions on the update server now then debcheckroot can certainly not
> find these packages any more. You could try to update your system and
> then verify again. Normally the rootkit will persist. However
> connecting your computer to a network may be detrimental since the
> rootkit owner may simply uninstall his rootkit once he knows that his
> malware has been discovered.
> I would at least save suspicious executables first and additionally
> the packages with known good of the same version.
> 
> Regards,
> Elmar

Back to linux.debian.security | Previous | Next — Next in thread | Find similar

Thread

Fwd: Re: Fwd: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-13 20:10 +0200
  Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-13 20:20 +0200
    Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Noah Meyerhans <noahm@debian.org> - 2022-05-13 20:30 +0200
  Re: Fwd: Re: Fwd: What is the best free HIDS for Debian "Adam D. Barratt" <adam@adam-barratt.org.uk> - 2022-05-13 20:30 +0200
    Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-13 20:30 +0200
      Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-14 11:30 +0200

csiph-web