Re: Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/16/2010 09:25 AM, JD wrote:
>    On 08/15/2010 08:46 PM, steve wrote:
>>  PS: Just incidentally, since this happened, I was wondering whether anyone could
>>  suggest a good document that introduces the basics of figuring out whether your
>>  system has been compromised and how to go about understanding how, if it has ?
> Since ssh was involved,  search
> /var/log/messages*  and
> /var/log/secure*
>
> and find out who was able to log in via ssh and run
> that process

Thanks JD. Yes, my system was compromised :-/. I'm to blame, although my system 
was online with sshd running, the postgres user password was guessable ! Like I 
said, the box is unimportant so I don't mind recreating ...lesson learned.

details:
(from /var/log/secure-20100815)
Aug 15 03:44:30 laptop sshd[21749]: Accepted password for postgres from 
109.53.25.64 port 50196 ssh2
Aug 15 03:44:30 laptop sshd[21749]: pam_unix(sshd:session): session opened for 
user postgres by (uid=0)
Aug 15 03:44:32 laptop sshd[21751]: subsystem request for sftp
Aug 15 03:45:53 laptop sshd[21749]: pam_unix(sshd:session): session closed for 
user postgres

[root@laptop pgsql]# ls -la /var/lib/pgsql/
...
-rw-r--r--   1 postgres postgres 1895122 2010-08-06 04:45 W2Ksp3.exe
drwxr-xr-x   4 postgres postgres    4096 2010-08-15 04:29 .x
...

[root@laptop pgsql]# ls -l /var/lib/pgsql/.x/
...
[a bunch of perl scripts and some stripped static binaries]
...


Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells 
me that these files contain the HMAC checksum of the openssl libraries. So, that 
was a false positive by chkrootkit.

cheers,
- steve

-- 
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux