On 08/15/2010 08:46 PM, steve wrote: > Hello, > > I woke up this morning, to see my system CPU being using 90% by a command which > top simply showed as 'perl', running under UID 'postgres', strangely enough the > pid of the process didn't show up in a 'ps axwww' listing. I checked > /proc/<pid>/cmdline which said /usr/bin/sshd ! I immediately disconnected my > system from the net. > > Now, I admit I am know very less about diagnosing security, so I don't know what > all of this meant. I ran chkrootkit and I got: > > .... > Searching for suspicious files and dirs, it may take a while... > /usr/lib/.libssl.so.1.0.0a.hmac /usr/lib/.libssl.so.10.hmac > /usr/lib/.libcrypto.so.10.hmac /usr/lib/.libcrypto.so.1.0.0a.hmac > /lib/.libgcrypt.so.11.hmac > .... > > After that I did: > [root@laptop ~]# ls -l /usr/lib/.libssl.so.1* > -rw-r--r-- 1 root root 65 2010-06-04 19:59 /usr/lib/.libssl.so.1.0.0a.hmac > lrwxrwxrwx 1 root root 22 2010-07-08 21:33 /usr/lib/.libssl.so.10.hmac -> > .libssl.so.1.0.0a.hmac > [root@laptop ~]# rpm -qf /usr/lib/.libssl.so.1* > openssl-1.0.0a-1.fc12.i686 > openssl-1.0.0a-1.fc12.i686 > > So, now, I am wondering why would there be a '.anything' under lib ? I do not > install from any 3rd party repos except rpmfusion. I have gpg check enabled. So, > I'm pretty sure this came from official fedora repos. > > My question is why do this files exist and if they are valid, should this be a > bug against chkrootkit to not show this up as a 'suspicious' file ? > > In any case, I'm keeping my system offline and will try to figure out what > actually happened on my system, worst case, I'll just reinstall - the system is > just my dev. box which although a bit of a pain, I don't mind recreating. > > I'll appreciate any thoughts/comments on this matter. > > cheers, > - steve > > PS: Just incidentally, since this happened, I was wondering whether anyone could > suggest a good document that introduces the basics of figuring out whether your > system has been compromised and how to go about understanding how, if it has ? Since ssh was involved, search /var/log/messages* and /var/log/secure* and find out who was able to log in via ssh and run that process -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
