MOON
Server: Apache
System: Linux vmi433716.contaboserver.net 3.10.0-1160.144.1.el7.tuxcare.els4.x86_64 #1 SMP Tue Apr 7 08:40:40 UTC 2026 x86_64
User: affpashacom (1022)
PHP: 8.0.30
Disabled: NONE
$ pwd: /etc/linux-sensor/
Upload Files
File: //etc/linux-sensor/SECURITY.md
# Linux Sensor — Security Notice for Hosting Providers and AV Analysts

**Vendor**: Norypt (https://norypt.com)
**Product**: Linux Sensor — Linux endpoint management agent (MDM/EDR class)
**Contact for false-positive reports**: [email protected]
**This file**: `/etc/linuxmdm/SECURITY.md` and `/usr/share/linuxmdm/SECURITY.md`

## What this software is

Linux Sensor (process names `linux-sensor`, `linux-monitor`) is a
**legitimate, customer-installed system management agent**. It is
analogous to commercial tools like CrowdStrike Falcon, SentinelOne,
Wazuh, or Tanium — installed by a system owner to enable centralised
monitoring, configuration, command execution, and security event
forwarding to a remote management panel that the same owner controls.

Installation is **always explicit**: the customer runs an install
command that includes a per-customer install token. There is no
exploitation, no lateral movement, no installation without consent.

## What it does

The agent performs the following on the host it's installed on:

- Sends periodic heartbeats (every 30 seconds) to the customer's
  configured management panel over HTTPS / WSS to a panel domain the
  customer controls.
- Reports system telemetry: CPU/RAM/disk, hostname, kernel version,
  installed package list, listening sockets.
- Executes signed remote commands issued by the panel admin
  (Ed25519-signed; agent verifies signature before execution).
- Streams interactive PTY sessions (`Live Console`) when an admin
  initiates one from the panel.
- Self-updates from the panel when a new release is deployed.
- Performs file integrity monitoring on its own binaries and reports
  tampering events to the panel.

## Why it exhibits anti-tamper behaviour

Anti-tamper is a **defining feature** for endpoint management agents —
the whole point is that an attacker who compromises the host cannot
simply remove the agent and hide. Specifically, this product:

- Sets `chattr +i` (immutable file attribute) on its binaries and
  service files so a `rm` won't succeed without first lifting the
  flag.
- Runs a watchdog process (`linux-monitor`) that re-installs the agent
  binary if it's deleted or modified.
- Registers a systemd Path unit (`linux-sensor-restore.path`) that
  fires on filesystem changes to the binary path.
- Maintains multiple backup copies in legitimate paths under
  `/var/lib/linuxmdm/recovery/`, `/usr/share/linuxmdm/`, and a
  recovery archive on `/boot` (extracted at boot via dracut /
  initramfs-tools hook).
- Uses BPF kprobes on `security_inode_unlink` /
  `security_inode_rename` to detect tampering attempts in real time.

These are **all standard EDR techniques** used by every commercial
endpoint security product. They are not malware tactics.

## Legitimate uninstall path

The customer can uninstall via:

1. The management panel (admin clicks "Forget" on the server, panel
   issues a signed `__linuxmdm_uninstall__` command).
2. On the host directly:
   `linux-sensor uninstall --token <unenroll-token>`
   The unenroll-token was emitted at install time and is required.
3. Standard package manager: `apt-get remove --purge linux-sensor`
   or `dnf remove linux-sensor`.

The package's `preremove` hook clears `chattr +i` and stops services
cleanly so package-manager removal works without manual intervention.

## File / directory inventory

| Path | Purpose |
|---|---|
| `/usr/local/bin/linux-sensor` | Main agent binary |
| `/usr/local/bin/linux-monitor` | Watchdog binary |
| `/etc/systemd/system/linux-sensor.service` | systemd unit |
| `/etc/systemd/system/linux-monitor.service` | systemd unit |
| `/etc/systemd/system/linux-sensor-restore.path` | path-watcher |
| `/etc/systemd/system/linux-sensor-restore.service` | recovery trigger |
| `/etc/cron.d/linux-sensor` | cron-based safety net |
| `/etc/linuxmdm/` | runtime config (signing keys, agent ID) |
| `/var/lib/linuxmdm/` | runtime state (checksums, audit) |
| `/var/lib/linuxmdm/recovery/` | binary backup copies |
| `/usr/share/linuxmdm/` | bundled assets, recovery archives |
| `/usr/share/linuxmdm/restore.sh` | recovery script |
| `/usr/share/linuxmdm/MANIFEST.txt` | shipped file list with hashes |
| `/boot/linuxmdm-recovery.tar.gz` | initramfs recovery archive (optional) |

## Network behaviour

- Outbound TLS (HTTPS + WSS) connections **only** to the customer's
  configured panel domain, e.g. `prv.linuxmdm.com`. Domain is set at
  install time and stored in `/etc/linuxmdm/install.env`.
- No outbound connections to any other host.
- No raw sockets, no kernel module load.

## False-positive reporting

If a heuristic / behavioural scanner has flagged this agent, please:

1. Verify the binary's SHA256 matches the corresponding entry in
   `/usr/share/linuxmdm/MANIFEST.txt`.
2. Email `[email protected]` with: hostname, AV product + version,
   matching detection name, and the binary hash.

We will work with you to add the binary to your vendor allowlist.

## Open contact

- Website: https://norypt.com
- Security issues: [email protected] (PGP-encrypted preferred)
- General contact: [email protected]

---

*This file is shipped as part of every release. If it's missing or
out of date, the binary may have been tampered with — re-install from
a fresh package and report.*
@ Telegram