Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6126
| From | estellnb@elstel.org |
|---|---|
| Newsgroups | linux.debian.security |
| Subject | Fwd: Re: Fwd: What is the best free HIDS for Debian |
| Date | 2022-05-13 20:10 +0200 |
| Message-ID | <EmHTH-fg1e-3@gated-at.bofh.it> (permalink) |
| References | <EkTPj-e92s-15@gated-at.bofh.it> <EmHTH-fg1e-5@gated-at.bofh.it> <EmHTH-fg1e-7@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
Michael Lazin had published a private email between me an Sylvain Sécherre. It means he is an NSA guy, since he had access to a wiretapped conversation. https://lists.debian.org/debian-security/2022/05/msg00018.html -------- Originalnachricht -------- Betreff: Re: Fwd: What is the best free HIDS for Debian Datum: 12.05.2022 12:53 Von: Sylvain Sécherre <ssecherre@free.fr> An: Elmar Stellnberger <estellnb@elstel.org> Dear Elmar, Don't worry about this, feel free to cite me if you want, even if it was a private mail. However, I'd prefer posting on usenet because it's a sharing attitude! So, if you don't mind, let's continue this topic on linux.debian.security. Best regards, Sylvain ------------------------- Le 11/05/2022 à 18:45, Elmar Stellnberger a écrit : > Dear Sylvain > > When you first wrote to me asking for help I saw that the email was > only addressed to me and I wanted to keep our conversation > confidential. However then I got the email I am forwarding you now > from below cited by Miachel Lazin (read here: > https://lists.debian.org/debian-security/2022/05/msg00018.html) > publicly on the list so that I got to believe that you had > intentionally made the conversation public. Now I have checked the > email in my Inbox again and the headers say that I am the only > addresse, if there was no BCC by you. If your writings were public, so > why did I keep my own ones confidential then? When I noticed I re-sent > my emails with the same sending date of before but now also to > debian-security@lists.debian.org. > The more I think about it, the more I am prone to believe that > Michael Lazin could be an NSA guy who has published a mail, which both > of us wanted to keep confidential. If this has happened, please excuse > my re-sending of our private emails publicly to the debian-security > list! If I err in what I have started to believe now, please do also > clarify that for me. > > to put it in short: An email adressed privately to me has appeared on > the debian-security list, and if you haven´t used BCC to yield this, > then it means that M.L. was the one who has wiretapped and published > an email meant to be confidential. If he did and I have made emails > public because of this which you didn´t want to have public, then my > sincere excuse for what has happened here! > > Best Regards, > Elmar > > -------- Forwarded Message -------- > Subject: Re: What is the best free HIDS for Debian > Date: Sun, 8 May 2022 16:51:46 +0200 > From: Sylvain Sécherre <ssecherre@free.fr> > To: Elmar Stellnberger <estellnb@elstel.org> > > Dear Elmar, > > Thank you for your help. I really appreciate very much. > > I thought a lot about your answer and I feel a bit tricky... I > understand what you're writing but I don't know how to do this. > > Do you think I can simply get rid of these rootkit? I've tried to move > the file "crontab" in a safe place and then reinstall the package > cron. The new "crontab" file seems to be the same as the previous > since the md5 are equal, but debcheckroot still throws an error for > it... > > Regards > > Sylvain > > ------------------------------------------------------------------------ > > > Le 06/05/2022 à 16:13, Elmar Stellnberger a écrit : > Dear Sylvain > > The next thing I would do is create a timeline. Mount the partition > with noatime so that access times are preserved as they are on new > file operations and then let find output access, modification and > creation time of all files. Look on when these three executables have > been modified/created and then search back on what has happened at the > earliest time right before the rootkit has been installed. Once I > analysed a system of mine like this and found out that some suspicious > files had been uploaded in the ~/.skype directory. If I remember back > I think I had used vim for it but it should also be possible to use > sth. like sort. > > Regards > E. > > Am 06.05.22 um 15:52 schrieb Elmar Stellnberger: > Dear Sylvain > > Am 04.05.22 um 13:17 schrieb Sylvain: > I've just tried debcheckroot too. It throws error. I'll try to fix > them. > > Am 06.05.22 um 15:05 schrieb Sylvain Sécherre: >> Here's the fileserror.lis: >> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755 >> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root > root 755 >> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root > 755 >> ... > > I hope you won´t mind that I am citing the output of debcheckroot > you have given me. > These three files point to an infection with a rootkit. Don´t care > about modified configuration files like in /etc too much (but you may > still have a look at them). Executable files on the other hand must > never be modified. If these three files are different it means that > someone has altered your system. If you look at the man pages of these > executables then you also know that a maker of a rootkit would have > interest to modify exactly these files. > >> The file filesunverified.lis is very long, while pkgcorrupt.lis is > empty. > > If you have updated your system some time ago and there are newer > versions on the update server now then debcheckroot can certainly not > find these packages any more. You could try to update your system and > then verify again. Normally the rootkit will persist. However > connecting your computer to a network may be detrimental since the > rootkit owner may simply uninstall his rootkit once he knows that his > malware has been discovered. > I would at least save suspicious executables first and additionally > the packages with known good of the same version. > > Regards, > Elmar
Back to linux.debian.security | Previous | Next — Next in thread | Find similar
Fwd: Re: Fwd: What is the best free HIDS for Debian estellnb@elstel.org - 2022-05-13 20:10 +0200
Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-13 20:20 +0200
Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Noah Meyerhans <noahm@debian.org> - 2022-05-13 20:30 +0200
Re: Fwd: Re: Fwd: What is the best free HIDS for Debian "Adam D. Barratt" <adam@adam-barratt.org.uk> - 2022-05-13 20:30 +0200
Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Elmar Stellnberger <estellnb@elstel.org> - 2022-05-13 20:30 +0200
Re: Fwd: Re: Fwd: What is the best free HIDS for Debian Sylvain <ssecherre@free.fr> - 2022-05-14 11:30 +0200
csiph-web