Michael Lazin had published a private email between me an Sylvain
Sécherre. It means he is an NSA guy, since he had access to a wiretapped conversation.
https://lists.debian.org/debian-security/2022/05/msg00018.html
-------- Originalnachricht --------
Betreff: Re: Fwd: What is the best free HIDS for Debian
Datum: 12.05.2022 12:53
Von: Sylvain Sécherre <
ssecherre@free.fr>
An: Elmar Stellnberger <
estellnb@elstel.org>
Dear Elmar,
Don't worry about this, feel free to cite me if you want, even if it was
a private mail.
However, I'd prefer posting on usenet because it's a sharing attitude!
So, if you don't mind, let's continue this topic on
linux.debian.security.
Best regards,
Sylvain
-------------------------
Le 11/05/2022 à 18:45, Elmar Stellnberger a écrit :
Dear Sylvain
When you first wrote to me asking for help I saw that the email was
only addressed to me and I wanted to keep our conversation
confidential. However then I got the email I am forwarding you now
from below cited by Miachel Lazin (read here: https://lists.debian.org/debian-security/2022/05/msg00018.html)
publicly on the list so that I got to believe that you had
intentionally made the conversation public. Now I have checked the
email in my Inbox again and the headers say that I am the only
addresse, if there was no BCC by you. If your writings were public, so
why did I keep my own ones confidential then? When I noticed I re-sent
my emails with the same sending date of before but now also to debian-security@lists.debian.org.
The more I think about it, the more I am prone to believe that
Michael Lazin could be an NSA guy who has published a mail, which both
of us wanted to keep confidential. If this has happened, please excuse
my re-sending of our private emails publicly to the debian-security
list! If I err in what I have started to believe now, please do also
clarify that for me.
to put it in short: An email adressed privately to me has appeared on
the debian-security list, and if you haven´t used BCC to yield this,
then it means that M.L. was the one who has wiretapped and published
an email meant to be confidential. If he did and I have made emails
public because of this which you didn´t want to have public, then my
sincere excuse for what has happened here!
Best Regards,
Elmar
-------- Forwarded Message --------
Subject: Re: What is the best free HIDS for Debian
Date: Sun, 8 May 2022 16:51:46 +0200
From: Sylvain Sécherre <ssecherre@free.fr>
To: Elmar Stellnberger <estellnb@elstel.org>
Dear Elmar,
Thank you for your help. I really appreciate very much.
I thought a lot about your answer and I feel a bit tricky... I
understand what you're writing but I don't know how to do this.
Do you think I can simply get rid of these rootkit? I've tried to move
the file "crontab" in a safe place and then reinstall the package
cron. The new "crontab" file seems to be the same as the previous
since the md5 are equal, but debcheckroot still throws an error for
it...
Regards
Sylvain
------------------------------------------------------------------------
Le 06/05/2022 à 16:13, Elmar Stellnberger a écrit :
Dear Sylvain
The next thing I would do is create a timeline. Mount the partition
with noatime so that access times are preserved as they are on new
file operations and then let find output access, modification and
creation time of all files. Look on when these three executables have
been modified/created and then search back on what has happened at the earliest time right before the rootkit has been installed. Once I
analysed a system of mine like this and found out that some suspicious
files had been uploaded in the ~/.skype directory. If I remember back
I think I had used vim for it but it should also be possible to use
sth. like sort.
Regards
E.
Am 06.05.22 um 15:52 schrieb Elmar Stellnberger:
Dear Sylvain
Am 04.05.22 um 13:17 schrieb Sylvain:
I've just tried debcheckroot too. It throws error. I'll try to fix
them.
Am 06.05.22 um 15:05 schrieb Sylvain Sécherre:
Here's the fileserror.lis:
..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root
root 755
..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root
755
...
I hope you won´t mind that I am citing the output of debcheckroot
you have given me.
These three files point to an infection with a rootkit. Don´t care
about modified configuration files like in /etc too much (but you may
still have a look at them). Executable files on the other hand must
never be modified. If these three files are different it means that
someone has altered your system. If you look at the man pages of these executables then you also know that a maker of a rootkit would have
interest to modify exactly these files.
The file filesunverified.lis is very long, while pkgcorrupt.lis is
empty.
If you have updated your system some time ago and there are newer
versions on the update server now then debcheckroot can certainly not
find these packages any more. You could try to update your system and
then verify again. Normally the rootkit will persist. However
connecting your computer to a network may be detrimental since the
rootkit owner may simply uninstall his rootkit once he knows that his
malware has been discovered.
I would at least save suspicious executables first and additionally
the packages with known good of the same version.
Regards,
Elmar
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)