Wat ik al zei:
Ik kreeg een booterror win10home24 nadat ik de stappen had uitgevoerd en reboot. Windows startte niet meer en kreeg de melding:
"drive not found"
Daarna:
Heb nu Linux mint 18.3 boot live cd kunnen draaien en iso op dvd gebrand tevens een win10home64bit.iso gemaakt en Mint naast Win10home geïnstalleerd. Echter bij restart van installatie DVD mint kreeg ik weer (tweede keer) de melding "No drive found"!!
Dus procedure tweede maal herhaald en hele schijf overschreven (Guzman) met encryptie (LUKS) en UEFI secure boot optie uit met password.
Weer restart/reboot en weer zelfde error (voor derde keer). Begrijp je dat?!
Maar als ik via F11(ASROCK) bootopties kies zie ik partitie ubuntu(encrypt EXT4) staan en dan kom ik WEL in de geïnstalleerde versie van linux mint 18.3?! Wat ik al drie maanden voor elkaar probeer te krijgen en nu EINDELIJK IS GELUKT op deze besmette PC.
Uit paranoia heb ik:
1.Alle netwerksystemen uitgeschakeld met bijbehorende apparatuur/systemen/divices
2. Modem hersteld naar fabrieksinstellelingen.
3.Bios van deze linux mint 18.3 computer geflashed.
Nu werk ik dus vanuit de geïnstalleerde Linux mint versie 18.3 en heb een rootkitscan(linux) gedaan.
[Vraag 1]Wat kan je uit de bijgevoegde analyse-info(linuxrootkitscan) halen met betrekking tot de rootkit die we ook in windows 10 home64bit vonden op basis van jouw expertise/ervaringen?!
[Vraag 2]Is er nu op dit systeem draaiende met linux mint 18.3 mogelijk nog een rootkit aanwezig en heb je andere opties om dit te onderzoeken?!
[Vraag 3] Omdat de schijf nu encrypted is kan ik op dit systeem geen livecd linux mint 18.3 draaien, bestaat er alternatief om dat wel mogelijk te maken?!
[Vraag 4] Mijn theorie is dat de 'rootkit' zich nestelt in de cloud/server online. Want elke keer als de schoonmaak procedure uitvoer (bekabeld):
a. schijf met Gusman wis.
b. Bios flash
3. Linux mint 18.3 installeer.
4. Rootkitscan doe.
5. Meldingen/signalen van een 'rootkit' krijg.
Maar onbekabeld en offline:
Dezelfde procedure herhaal en hij 'clean' is en niets van rootkits vind (geen meldingen/signalen).
De problemen beginnen na een tijdje als ik bekabeld/wifi on line ga. Ik vermoed dat de rootkit zich verschuild in een van de websiteservers waar ik op werk/heb gewerkt?! En dan begint ellende opnieuw!
De log:
Current version : 261 Latest version : 262
Please update to the latest version.
New releases include additional features, bug fixes, tests, and baselines.
Download the latest version:
Packages (DEB/RPM) -
https://packages.cisofy.com
Website (TAR) -
https://cisofy.com/downloads/
GitHub (source) -
https://github.com/CISOfy/lynis
===============================================================================
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (fase 1)
------------------------------------
Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren
- Plugins geactiveerd [ NONE ]
[+] Boot and services
------------------------------------
- Service Manager [ upstart ]
- Checking UEFI boot [ INGESCHAKELD ]
- Checking Secure Boot [ INGESCHAKELD ]
- Checking presence GRUB2 [ GEVONDEN ]
- Checking for password protection [ WAARSCHUWING ]
- Check running services (systemctl) [ KLAAR ]
Result: found 26 running services
- Check enabled services at boot (systemctl) [ KLAAR ]
Result: found 45 enabled services
- Check startup files (permissions) [ OK ]
[+] Kernel
------------------------------------
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ GEVONDEN ]
- Checking kernel version and release [ KLAAR ]
- Checking kernel type [ KLAAR ]
- Checking loaded kernel modules [ KLAAR ]
Found 90 active modules
- Checking Linux kernel configuration file [ GEVONDEN ]
- Checking default I/O kernel scheduler [ GEVONDEN ]
- Checking core dumps configuration [ UITGESCHAKELD ]
- Checking setuid core dumps configuration [ PROTECTED ]
- Check if reboot is needed [ NEE ]
[+] Geheugen en Processen
------------------------------------
- Checking /proc/meminfo [ GEVONDEN ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Query system users (non daemons) [ KLAAR ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ GEVONDEN ]
- Check sudoers file permissions [ OK ]
- PAM password strength tools [ SUGGESTIE ]
- PAM configuration files (pam.conf) [ GEVONDEN ]
- PAM configuration files (pam.d) [ GEVONDEN ]
- PAM modules [ GEVONDEN ]
- LDAP module in PAM [ NIET GEVONDEN ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ UITGESCHAKELD ]
- User password aging (maximum) [ UITGESCHAKELD ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NIET GEVONDEN ]
- umask (/etc/login.defs) [ SUGGESTIE ]
- umask (/etc/init.d/rc) [ SUGGESTIE ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ INGESCHAKELD ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 4 shells (valid shells: 4).
- Session timeout settings/tools [ GEEN ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ GEEN ]
- Checking default umask in /etc/profile [ GEEN ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTIE ]
- Checking /tmp mount point [ SUGGESTIE ]
- Checking /var mount point [ SUGGESTIE ]
- Checking LVM volume groups [ GEVONDEN ]
- Checking LVM volumes [ GEVONDEN ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTIE ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ INGESCHAKELD ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /boot [ NON DEFAULT ]
- Checking Locate database [ GEVONDEN ]
- Disable kernel support of some filesystems
- Discovered kernel modules: cramfs freevxfs hfs hfsplus jffs2 udf
[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ INGESCHAKELD ]
- Checking USBGuard [ NIET GEVONDEN ]
[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ UITGESCHAKELD ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NIET GEVONDEN ]
[+] Name services
------------------------------------
- Checking search domains [ GEVONDEN ]
- Searching DNS domain name [ ONBEKEND ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ OK ]
- Checking /etc/hosts (localhost to IP) [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ GEVONDEN ]
- Querying package manager
- Query unpurged packages [ GEEN ]
- Checking security repository in sources.list.d directory [ OK ]
- Checking vulnerable packages [ WAARSCHUWING ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
[+] Networking
------------------------------------
- Checking IPv6 configuration [ INGESCHAKELD ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 127.0.1.1 [ OK ]
- Checking default gateway [ KLAAR ]
- Getting listening ports (TCP/UDP) [ KLAAR ]
* Found 20 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ ACTIEF ]
- Checking for ARP monitoring software [ NIET GEVONDEN ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ ACTIEF ]
- Checking CUPS configuration file [ OK ]
- File permissions [ WAARSCHUWING ]
- Checking CUPS addresses/sockets [ GEVONDEN ]
- Checking lp daemon [ NIET ACTIEF ]
[+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ NIET GEVONDEN ]
- Checking host based firewall [ NOT ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache [ NIET GEVONDEN ]
- Checking nginx [ NIET GEVONDEN ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ NIET GEVONDEN ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NIET GEVONDEN ]
[+] Databases
------------------------------------
No database engines found
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NIET GEVONDEN ]
[+] PHP
------------------------------------
- Checking PHP [ NIET GEVONDEN ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NIET GEVONDEN ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NIET GEVONDEN ]
- Checking systemd journal status [ GEVONDEN ]
- Checking Metalog status [ NIET GEVONDEN ]
- Checking RSyslog status [ GEVONDEN ]
- Checking RFC 3195 daemon status [ NIET GEVONDEN ]
- Checking minilogd instances [ NIET GEVONDEN ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ KLAAR ]
- Checking open log files [ KLAAR ]
- Checking deleted files in use [ FILES FOUND ]
[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]
[+] Banners and identification
------------------------------------
- /etc/issue [ GEVONDEN ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ GEVONDEN ]
- /etc/issue.net contents [ WEAK ]
[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ KLAAR ]
[+] Accounting
------------------------------------
- Checking accounting information [ NIET GEVONDEN ]
- Checking sysstat accounting data [ NIET GEVONDEN ]
- Checking auditd [ NIET GEVONDEN ]
[+] Time and Synchronization
------------------------------------
- NTP daemon found: ntpd [ GEVONDEN ]
- NTP daemon found: systemd (timesyncd) [ GEVONDEN ]
- Checking event based ntpdate (if-up) [ GEVONDEN ]
- Checking for a running NTP daemon or client [ OK ]
- Checking valid association ID's [ GEVONDEN ]
- Checking high stratum ntp peers [ OK ]
- Checking unreliable ntp peers [ GEEN ]
- Checking selected time source [ WAARSCHUWING ]
- Checking time source candidates [ GEEN ]
- Checking falsetickers [ OK ]
- Checking NTP version [ GEVONDEN ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/5] [ GEEN ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ GEVONDEN ]
- Checking AppArmor status [ INGESCHAKELD ]
- Checking presence SELinux [ NIET GEVONDEN ]
- Checking presence grsecurity [ NIET GEVONDEN ]
- Checking for implemented MAC framework [ OK ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NIET GEVONDEN ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NIET GEVONDEN ]
- Checking for IDS/IPS tooling [ GEEN ]
[+] Software: Kwaadaardige software (malware)
------------------------------------
- Zoeken naar chkrootkit [ GEVONDEN ]
[+] File Permissions
------------------------------------
- Starting file permissions check
[+] Home directories
------------------------------------
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ DIFFERENT ]
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ GEVONDEN ]
- Installed malware scanner [ GEVONDEN ]
[+] Eigen Testen
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (fase 2)
------------------------------------
================================================================================
-[ Lynis 2.6.1 Results ]-
Warnings (1):
----------------------------
! Found one or more vulnerable packages. [PKGS-7392]
https://cisofy.com/controls/PKGS-7392/
Suggestions (29):
----------------------------
* Version of Lynis outdated, consider upgrading to the latest version [LYNIS]
https://cisofy.com/controls/LYNIS/
* Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
https://cisofy.com/controls/BOOT-5122/
* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
https://cisofy.com/controls/AUTH-9262/
* Configure minimum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/
* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/
* Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/
* To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/controls/STRG-1840/
* Check DNS configuration for the dns domain name [NAME-4028]
https://cisofy.com/controls/NAME-4028/
* Install debsums utility for the verification of packages with known good database. [PKGS-7370]
https://cisofy.com/controls/PKGS-7370/
* Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392]
https://cisofy.com/controls/PKGS-7392/
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
https://cisofy.com/controls/NETW-3032/
* Access to CUPS configuration could be more strict. [PRNT-2307]
https://cisofy.com/controls/PRNT-2307/
* Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
https://cisofy.com/controls/FIRE-4590/
* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/controls/LOGG-2190/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/controls/BANN-7130/
* Enable process accounting [ACCT-9622]
https://cisofy.com/controls/ACCT-9622/
* Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/controls/ACCT-9626/
* Enable auditd to collect audit information [ACCT-9628]
https://cisofy.com/controls/ACCT-9628/
* Check ntpq peers output for selected time source [TIME-3124]
https://cisofy.com/controls/TIME-3124/
* Check ntpq peers output for time source candidates [TIME-3128]
https://cisofy.com/controls/TIME-3128/
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/controls/FINT-4350/
* Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
https://cisofy.com/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/controls/HRDN-7222/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (
https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 64 [############ ]
Tests performed : 208
Plugins enabled : 0
Components:
- Firewall [X]
- Malware scanner [V]
Lynis Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Notice: Lynis update beschikbaar
Huidige versie : 261 Latest version : 262
================================================================================
Lynis 2.6.1
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2018, CISOfy -
https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /usr/local/lynis/default.prf for all settings)
digidokter@CORSAIR /tmp $