Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I woke up this morning, to see my system CPU being using 90% by a command which 
top simply showed as 'perl', running under UID 'postgres', strangely enough the 
pid of the process didn't show up in a 'ps axwww' listing. I checked 
/proc/<pid>/cmdline which said /usr/bin/sshd !  I immediately disconnected my 
system from the net.

Now, I admit I am know very less about diagnosing security, so I don't know what 
all of this meant. I ran chkrootkit and I got:

....
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.libssl.so.1.0.0a.hmac /usr/lib/.libssl.so.10.hmac 
/usr/lib/.libcrypto.so.10.hmac /usr/lib/.libcrypto.so.1.0.0a.hmac 
/lib/.libgcrypt.so.11.hmac
....

After that I did:
[root@laptop ~]# ls -l /usr/lib/.libssl.so.1*
-rw-r--r-- 1 root root 65 2010-06-04 19:59 /usr/lib/.libssl.so.1.0.0a.hmac
lrwxrwxrwx 1 root root 22 2010-07-08 21:33 /usr/lib/.libssl.so.10.hmac -> 
.libssl.so.1.0.0a.hmac
[root@laptop ~]# rpm -qf /usr/lib/.libssl.so.1*
openssl-1.0.0a-1.fc12.i686
openssl-1.0.0a-1.fc12.i686

So, now, I am wondering why would there be a '.anything' under lib ? I do not 
install from any 3rd party repos except rpmfusion. I have gpg check enabled. So, 
I'm pretty sure this came from official fedora repos.

My question is why do this files exist and if they are valid, should this be a 
bug against chkrootkit to not show this up as a 'suspicious' file ?

In any case, I'm keeping my system offline and will try to figure out what 
actually happened on my system, worst case, I'll just reinstall - the system is 
just my dev. box which although a bit of a pain, I don't mind recreating.

I'll appreciate any thoughts/comments on this matter.

cheers,
- steve

PS: Just incidentally, since this happened, I was wondering whether anyone could 
suggest a good document that introduces the basics of figuring out whether your 
system has been compromised and how to go about understanding how, if it has ?
-- 
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux