FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 08-16-2010, 03:46 AM
steve
 
Default Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

Hello,

I woke up this morning, to see my system CPU being using 90% by a command which
top simply showed as 'perl', running under UID 'postgres', strangely enough the
pid of the process didn't show up in a 'ps axwww' listing. I checked
/proc/<pid>/cmdline which said /usr/bin/sshd ! I immediately disconnected my
system from the net.

Now, I admit I am know very less about diagnosing security, so I don't know what
all of this meant. I ran chkrootkit and I got:

....
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.libssl.so.1.0.0a.hmac /usr/lib/.libssl.so.10.hmac
/usr/lib/.libcrypto.so.10.hmac /usr/lib/.libcrypto.so.1.0.0a.hmac
/lib/.libgcrypt.so.11.hmac
....

After that I did:
[root@laptop ~]# ls -l /usr/lib/.libssl.so.1*
-rw-r--r-- 1 root root 65 2010-06-04 19:59 /usr/lib/.libssl.so.1.0.0a.hmac
lrwxrwxrwx 1 root root 22 2010-07-08 21:33 /usr/lib/.libssl.so.10.hmac ->
.libssl.so.1.0.0a.hmac
[root@laptop ~]# rpm -qf /usr/lib/.libssl.so.1*
openssl-1.0.0a-1.fc12.i686
openssl-1.0.0a-1.fc12.i686

So, now, I am wondering why would there be a '.anything' under lib ? I do not
install from any 3rd party repos except rpmfusion. I have gpg check enabled. So,
I'm pretty sure this came from official fedora repos.

My question is why do this files exist and if they are valid, should this be a
bug against chkrootkit to not show this up as a 'suspicious' file ?

In any case, I'm keeping my system offline and will try to figure out what
actually happened on my system, worst case, I'll just reinstall - the system is
just my dev. box which although a bit of a pain, I don't mind recreating.

I'll appreciate any thoughts/comments on this matter.

cheers,
- steve

PS: Just incidentally, since this happened, I was wondering whether anyone could
suggest a good document that introduces the basics of figuring out whether your
system has been compromised and how to go about understanding how, if it has ?
--
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2010, 03:55 AM
JD
 
Default Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

On 08/15/2010 08:46 PM, steve wrote:
> Hello,
>
> I woke up this morning, to see my system CPU being using 90% by a command which
> top simply showed as 'perl', running under UID 'postgres', strangely enough the
> pid of the process didn't show up in a 'ps axwww' listing. I checked
> /proc/<pid>/cmdline which said /usr/bin/sshd ! I immediately disconnected my
> system from the net.
>
> Now, I admit I am know very less about diagnosing security, so I don't know what
> all of this meant. I ran chkrootkit and I got:
>
> ....
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/.libssl.so.1.0.0a.hmac /usr/lib/.libssl.so.10.hmac
> /usr/lib/.libcrypto.so.10.hmac /usr/lib/.libcrypto.so.1.0.0a.hmac
> /lib/.libgcrypt.so.11.hmac
> ....
>
> After that I did:
> [root@laptop ~]# ls -l /usr/lib/.libssl.so.1*
> -rw-r--r-- 1 root root 65 2010-06-04 19:59 /usr/lib/.libssl.so.1.0.0a.hmac
> lrwxrwxrwx 1 root root 22 2010-07-08 21:33 /usr/lib/.libssl.so.10.hmac ->
> .libssl.so.1.0.0a.hmac
> [root@laptop ~]# rpm -qf /usr/lib/.libssl.so.1*
> openssl-1.0.0a-1.fc12.i686
> openssl-1.0.0a-1.fc12.i686
>
> So, now, I am wondering why would there be a '.anything' under lib ? I do not
> install from any 3rd party repos except rpmfusion. I have gpg check enabled. So,
> I'm pretty sure this came from official fedora repos.
>
> My question is why do this files exist and if they are valid, should this be a
> bug against chkrootkit to not show this up as a 'suspicious' file ?
>
> In any case, I'm keeping my system offline and will try to figure out what
> actually happened on my system, worst case, I'll just reinstall - the system is
> just my dev. box which although a bit of a pain, I don't mind recreating.
>
> I'll appreciate any thoughts/comments on this matter.
>
> cheers,
> - steve
>
> PS: Just incidentally, since this happened, I was wondering whether anyone could
> suggest a good document that introduces the basics of figuring out whether your
> system has been compromised and how to go about understanding how, if it has ?
Since ssh was involved, search
/var/log/messages* and
/var/log/secure*

and find out who was able to log in via ssh and run
that process
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2010, 04:21 AM
Kevin Fenzi
 
Default Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

On Mon, 16 Aug 2010 09:16:10 +0530
steve <steve@lonetwin.net> wrote:

...snip...

> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/.libssl.so.1.0.0a.hmac /usr/lib/.libssl.so.10.hmac
> /usr/lib/.libcrypto.so.10.hmac /usr/lib/.libcrypto.so.1.0.0a.hmac
> /lib/.libgcrypt.so.11.hmac

Those are FIPS hmac files. They are shipped with the fedora packages
and do not indicate any tampering.

...snip...

> My question is why do this files exist and if they are valid, should
> this be a bug against chkrootkit to not show this up as a
> 'suspicious' file ?

Yes, it should I would think.

kevin
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2010, 04:25 AM
steve
 
Default Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

On 08/16/2010 09:25 AM, JD wrote:
> On 08/15/2010 08:46 PM, steve wrote:
>> PS: Just incidentally, since this happened, I was wondering whether anyone could
>> suggest a good document that introduces the basics of figuring out whether your
>> system has been compromised and how to go about understanding how, if it has ?
> Since ssh was involved, search
> /var/log/messages* and
> /var/log/secure*
>
> and find out who was able to log in via ssh and run
> that process

Thanks JD. Yes, my system was compromised :-/. I'm to blame, although my system
was online with sshd running, the postgres user password was guessable ! Like I
said, the box is unimportant so I don't mind recreating ...lesson learned.

details:
(from /var/log/secure-20100815)
Aug 15 03:44:30 laptop sshd[21749]: Accepted password for postgres from
109.53.25.64 port 50196 ssh2
Aug 15 03:44:30 laptop sshd[21749]: pam_unix(sshd:session): session opened for
user postgres by (uid=0)
Aug 15 03:44:32 laptop sshd[21751]: subsystem request for sftp
Aug 15 03:45:53 laptop sshd[21749]: pam_unix(sshd:session): session closed for
user postgres

[root@laptop pgsql]# ls -la /var/lib/pgsql/
...
-rw-r--r-- 1 postgres postgres 1895122 2010-08-06 04:45 W2Ksp3.exe
drwxr-xr-x 4 postgres postgres 4096 2010-08-15 04:29 .x
...

[root@laptop pgsql]# ls -l /var/lib/pgsql/.x/
...
[a bunch of perl scripts and some stripped static binaries]
...


Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells
me that these files contain the HMAC checksum of the openssl libraries. So, that
was a false positive by chkrootkit.

cheers,
- steve

--
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2010, 04:29 AM
Larry Brower
 
Default Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

steve wrote:

>
> Thanks JD. Yes, my system was compromised :-/. I'm to blame, although my system
> was online with sshd running, the postgres user password was guessable ! Like I
> said, the box is unimportant so I don't mind recreating ...lesson learned.
>

You might consider using AllowGroups or AllowUsers in sshd_config to
restrict who is allowed to login via ssh.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2010, 07:31 AM
steve
 
Default Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

On 08/16/2010 09:59 AM, Larry Brower wrote:
> steve wrote:
>
>>
>> Thanks JD. Yes, my system was compromised :-/. I'm to blame, although my system
>> was online with sshd running, the postgres user password was guessable ! Like I
>> said, the box is unimportant so I don't mind recreating ...lesson learned.
>>
>
> You might consider using AllowGroups or AllowUsers in sshd_config to
> restrict who is allowed to login via ssh.

Thanks for the suggestion, Larry. I didn't know about that.

cheers,
- steve
--
random spiel: http://lonetwin.net/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2010, 09:37 AM
Michael Schwendt
 
Default Why do /usr/lib/.libssl.so.1*.hmac file exist on my system ?

On Mon, 16 Aug 2010 09:55:32 +0530, steve wrote:

> Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells
> me that these files contain the HMAC checksum of the openssl libraries.

rpm -qf /usr/lib/.*hmac

> So, that was a false positive by chkrootkit.

Which is in the nature of chkrootkit. Don't rely on it. Many of its tests
are not 100%, but just warn about suspicious file locations or activities
(e.g. a process listening on a port known to be used by some backdoor
trojans), which match a given pattern as defined in chkrootkit. It's the
admin's job to verify the report and to examine a system closer. One could
try to white-list "false positives", albeit by doing that one might run
into the pitfall of getting it wrong.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 12:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org