Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I woke up this morning, to see my system CPU being using 90% by a command which 
top simply showed as 'perl', running under UID 'postgres', strangely enough the 
pid of the process didn't show up in a 'ps axwww' listing. I checked 
/proc/<pid>/cmdline which said /usr/bin/sshd !  I immediately disconnected my 
system from the net.

Now, I admit I am know very less about diagnosing security, so I don't know what 
all of this meant. I ran chkrootkit and I got:

....
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.libssl.so.1.0.0a.hmac /usr/lib/.libssl.so.10.hmac 
/usr/lib/.libcrypto.so.10.hmac /usr/lib/.libcrypto.so.1.0.0a.hmac 
/lib/.libgcrypt.so.11.hmac
....

After that I did:
[root@laptop ~]# ls -l /usr/lib/.libssl.so.1*
-rw-r--r-- 1 root root 65 2010-06-04 19:59 /usr/lib/.libssl.so.1.0.0a.hmac
lrwxrwxrwx 1 root root 22 2010-07-08 21:33 /usr/lib/.libssl.so.10.hmac -> 
.libssl.so.1.0.0a.hmac
[root@laptop ~]# rpm -qf /usr/lib/.libssl.so.1*
openssl-1.0.0a-1.fc12.i686
openssl-1.0.0a-1.fc12.i686

So, now, I am wondering why would there be a '.anything' under lib ? I do not 
install from any 3rd party repos except rpmfusion. I have gpg check enabled. So, 
I'm pretty sure this came from official fedora repos.

My question is why do this files exist and if they are valid, should this be a 
bug against chkrootkit to not show this up as a 'suspicious' file ?

In any case, I'm keeping my system offline and will try to figure out what 
actually happened on my system, worst case, I'll just reinstall - the system is 
just my dev. box which although a bit of a pain, I don't mind recreating.

I'll appreciate any thoughts/comments on this matter.

cheers,
- steve

PS: Just incidentally, since this happened, I was wondering whether anyone could 
suggest a good document that introduces the basics of figuring out whether your 
system has been compromised and how to go about understanding how, if it has ?
-- 
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux