Re: Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/16/2010 09:25 AM, JD wrote:
>    On 08/15/2010 08:46 PM, steve wrote:
>>  PS: Just incidentally, since this happened, I was wondering whether anyone could
>>  suggest a good document that introduces the basics of figuring out whether your
>>  system has been compromised and how to go about understanding how, if it has ?
> Since ssh was involved,  search
> /var/log/messages*  and
> /var/log/secure*
>
> and find out who was able to log in via ssh and run
> that process

Thanks JD. Yes, my system was compromised :-/. I'm to blame, although my system 
was online with sshd running, the postgres user password was guessable ! Like I 
said, the box is unimportant so I don't mind recreating ...lesson learned.

details:
(from /var/log/secure-20100815)
Aug 15 03:44:30 laptop sshd[21749]: Accepted password for postgres from 
109.53.25.64 port 50196 ssh2
Aug 15 03:44:30 laptop sshd[21749]: pam_unix(sshd:session): session opened for 
user postgres by (uid=0)
Aug 15 03:44:32 laptop sshd[21751]: subsystem request for sftp
Aug 15 03:45:53 laptop sshd[21749]: pam_unix(sshd:session): session closed for 
user postgres

[root@laptop pgsql]# ls -la /var/lib/pgsql/
...
-rw-r--r--   1 postgres postgres 1895122 2010-08-06 04:45 W2Ksp3.exe
drwxr-xr-x   4 postgres postgres    4096 2010-08-15 04:29 .x
...

[root@laptop pgsql]# ls -l /var/lib/pgsql/.x/
...
[a bunch of perl scripts and some stripped static binaries]
...


Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells 
me that these files contain the HMAC checksum of the openssl libraries. So, that 
was a false positive by chkrootkit.

cheers,
- steve

-- 
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux