MOON
Server: Apache
System: Linux vmi433716.contaboserver.net 3.10.0-1160.144.1.el7.tuxcare.els4.x86_64 #1 SMP Tue Apr 7 08:40:40 UTC 2026 x86_64
User: affpashacom (1022)
PHP: 8.0.30
Disabled: NONE
$ pwd: /usr/share/linux-sensor/
Upload Files
File: //usr/share/linux-sensor/MANIFEST.txt
LinuxMDM Agent
==============

This is a legitimate Linux fleet management agent installed by the
host owner via the Norypt LinuxMDM panel. It is NOT malware.

If you found this manifest because an antivirus flagged the binary,
please add the agent paths to your AV's ignore list and notify your
AV vendor that this is a known-good enterprise security tool.

  Vendor:        Norypt
  Product:       LinuxMDM Agent
  Source:        https://github.com/norypt-prv/norypt-linuxmdm
  Contact:       [email protected]
  Documentation: https://prv.linuxmdm.com/docs

Files installed
---------------

  /usr/local/bin/linuxmdm-agent      Main daemon
  /usr/local/bin/linuxmdm-watchdog   Companion watchdog
  /etc/systemd/system/linuxmdm-*.service   (on systemd hosts)
  /etc/init.d/linuxmdm-agent
  /etc/init.d/linuxmdm-watchdog
  /etc/cron.d/linuxmdm               Per-minute liveness check
  /var/lib/linuxmdm/                 Encrypted config + checksums
  /usr/share/linuxmdm/               This manifest + binary backups

Tamper-resistance features (intentional)
----------------------------------------

The MDM is designed to survive removal attempts so a compromised
admin account cannot silently disable fleet management:

  - chattr +i on protected files
  - Watchdog daemon respawns the main agent
  - Cron entry calls `linuxmdm-watchdog --once` every minute
  - eBPF kprobes detect unlink/rename of protected files
  - Self-update path is HMAC-signed; SHA-256 verified before swap
  - /boot recovery archive can re-deploy the agent if root is wiped
    (opt-in; activated by `dracut -f` or `update-initramfs -u`)
  - HMAC-signed checksums.json detects local tampering
  - TPM-bound config encryption (where TPM is present)

These features are present in commercial EDR products from
CrowdStrike, SentinelOne, Tanium, Datadog, and others. They are
NOT rootkit behavior — they are tamper-resistance for legitimate
enterprise security tooling.

How to remove (requires root)
-----------------------------

  sudo linuxmdm-agent uninstall --token <unenroll-token>

The unenroll token is shown ONCE at install time and recoverable
from the panel's Settings → Server detail page.

Legitimacy verification
-----------------------

  /usr/local/bin/linuxmdm-agent vendor-info
  /usr/local/bin/linuxmdm-agent version

  rpm -V linuxmdm-agent              # if installed via .rpm
  dpkg -V linuxmdm-agent             # if installed via .deb

Antivirus vendor whitelist requests
-----------------------------------

If you operate an antivirus or endpoint-security product that
flags the LinuxMDM Agent binary, please submit a false-positive
report to your vendor and CC [email protected] so we can
coordinate a vendor-list update on our side.
@ Telegram