Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

Michael Schwendt mschwendt at gmail.com
Mon Aug 16 09:37:29 UTC 2010

On Mon, 16 Aug 2010 09:55:32 +0530, steve wrote:

> Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells 
> me that these files contain the HMAC checksum of the openssl libraries.

rpm -qf /usr/lib/.*hmac

> So, that  was a false positive by chkrootkit.

Which is in the nature of chkrootkit. Don't rely on it. Many of its tests
are not 100%, but just warn about suspicious file locations or activities
(e.g. a process listening on a port known to be used by some backdoor
trojans), which match a given pattern as defined in chkrootkit. It's the
admin's job to verify the report and to examine a system closer. One could
try to white-list "false positives", albeit by doing that one might run
into the pitfall of getting it wrong.

More information about the users mailing list