Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

JD jd1008 at gmail.com
Mon Aug 16 03:55:19 UTC 2010 

  On 08/15/2010 08:46 PM, steve wrote:
> Hello,
>
> I woke up this morning, to see my system CPU being using 90% by a command which
> top simply showed as 'perl', running under UID 'postgres', strangely enough the
> pid of the process didn't show up in a 'ps axwww' listing. I checked
> /proc/<pid>/cmdline which said /usr/bin/sshd !  I immediately disconnected my
> system from the net.
>
> Now, I admit I am know very less about diagnosing security, so I don't know what
> all of this meant. I ran chkrootkit and I got:
>
> ....
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/.libssl.so.1.0.0a.hmac /usr/lib/.libssl.so.10.hmac
> /usr/lib/.libcrypto.so.10.hmac /usr/lib/.libcrypto.so.1.0.0a.hmac
> /lib/.libgcrypt.so.11.hmac
> ....
>
> After that I did:
> [root at laptop ~]# ls -l /usr/lib/.libssl.so.1*
> -rw-r--r-- 1 root root 65 2010-06-04 19:59 /usr/lib/.libssl.so.1.0.0a.hmac
> lrwxrwxrwx 1 root root 22 2010-07-08 21:33 /usr/lib/.libssl.so.10.hmac ->
> .libssl.so.1.0.0a.hmac
> [root at laptop ~]# rpm -qf /usr/lib/.libssl.so.1*
> openssl-1.0.0a-1.fc12.i686
> openssl-1.0.0a-1.fc12.i686
>
> So, now, I am wondering why would there be a '.anything' under lib ? I do not
> install from any 3rd party repos except rpmfusion. I have gpg check enabled. So,
> I'm pretty sure this came from official fedora repos.
>
> My question is why do this files exist and if they are valid, should this be a
> bug against chkrootkit to not show this up as a 'suspicious' file ?
>
> In any case, I'm keeping my system offline and will try to figure out what
> actually happened on my system, worst case, I'll just reinstall - the system is
> just my dev. box which although a bit of a pain, I don't mind recreating.
>
> I'll appreciate any thoughts/comments on this matter.
>
> cheers,
> - steve
>
> PS: Just incidentally, since this happened, I was wondering whether anyone could
> suggest a good document that introduces the basics of figuring out whether your
> system has been compromised and how to go about understanding how, if it has ?
Since ssh was involved,  search
/var/log/messages*  and
/var/log/secure*

and find out who was able to log in via ssh and run
that process

More information about the users mailing list