Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?
Michael Schwendt
mschwendt at gmail.com
Mon Aug 16 09:37:29 UTC 2010
On Mon, 16 Aug 2010 09:55:32 +0530, steve wrote:
> Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells
> me that these files contain the HMAC checksum of the openssl libraries.
rpm -qf /usr/lib/.*hmac
> So, that was a false positive by chkrootkit.
Which is in the nature of chkrootkit. Don't rely on it. Many of its tests
are not 100%, but just warn about suspicious file locations or activities
(e.g. a process listening on a port known to be used by some backdoor
trojans), which match a given pattern as defined in chkrootkit. It's the
admin's job to verify the report and to examine a system closer. One could
try to white-list "false positives", albeit by doing that one might run
into the pitfall of getting it wrong.
More information about the users
mailing list