Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

steve steve at lonetwin.net
Mon Aug 16 04:25:32 UTC 2010


On 08/16/2010 09:25 AM, JD wrote:
>    On 08/15/2010 08:46 PM, steve wrote:
>>  PS: Just incidentally, since this happened, I was wondering whether anyone could
>>  suggest a good document that introduces the basics of figuring out whether your
>>  system has been compromised and how to go about understanding how, if it has ?
> Since ssh was involved,  search
> /var/log/messages*  and
> /var/log/secure*
>
> and find out who was able to log in via ssh and run
> that process

Thanks JD. Yes, my system was compromised :-/. I'm to blame, although my system 
was online with sshd running, the postgres user password was guessable ! Like I 
said, the box is unimportant so I don't mind recreating ...lesson learned.

details:
(from /var/log/secure-20100815)
Aug 15 03:44:30 laptop sshd[21749]: Accepted password for postgres from 
109.53.25.64 port 50196 ssh2
Aug 15 03:44:30 laptop sshd[21749]: pam_unix(sshd:session): session opened for 
user postgres by (uid=0)
Aug 15 03:44:32 laptop sshd[21751]: subsystem request for sftp
Aug 15 03:45:53 laptop sshd[21749]: pam_unix(sshd:session): session closed for 
user postgres

[root at laptop pgsql]# ls -la /var/lib/pgsql/
...
-rw-r--r--   1 postgres postgres 1895122 2010-08-06 04:45 W2Ksp3.exe
drwxr-xr-x   4 postgres postgres    4096 2010-08-15 04:29 .x
...

[root at laptop pgsql]# ls -l /var/lib/pgsql/.x/
...
[a bunch of perl scripts and some stripped static binaries]
...


Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells 
me that these files contain the HMAC checksum of the openssl libraries. So, that 
was a false positive by chkrootkit.

cheers,
- steve

-- 
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/


More information about the users mailing list