Thanks Steve. Much appreciated.
On Tue, Mar 11, 2014 at 3:56 PM, Steven Kneizys <[email protected]>wrote: > Here is a diff for it (although tabs may not make it across the email > so it is attached as well): > > --- openssl-1.0.1f_ORIG/crypto/aes/asm/vpaes-x86_64.pl 2014-03-11 > 16:48:36.329545015 -0400 > +++ openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl 2014-03-11 > 16:48:36.329545015 -0400 > @@ -1060,7 +1060,7 @@ > .Lk_dsbo: # decryption sbox final output > .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D > .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C > -.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg > (Stanford University)" > +.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg > (Stanford University)" > .align 64 > .size _vpaes_consts,.-_vpaes_consts > ___ > > On Tue, Mar 11, 2014 at 4:20 PM, Wally <[email protected]> wrote: > > Quite possibly. It is still a typo though ;-) I've notified the folks on > > the rkhunter mailing list as well. Seeing a warning that your sshd > daemon > > has been possibly trojaned can cause a heart beat skip ;-) Thanks for > > checking. > > > > > > On Tue, Mar 11, 2014 at 3:10 PM, Steven Kneizys <[email protected]> > > wrote: > >> > >> I am actually thinking this is an rkhunter bug! :-) > >> > >> > >> On Tue, Mar 11, 2014 at 4:06 PM, Wally <[email protected]> wrote: > >>> > >>> Hi Steve, > >>> > >>> I believe there are few other files that contain "aion" but I think > >>> they're just comments and don't end up as strings in the compiled > file. If > >>> you do a find | grep you'll see the other files. I'm not sure how > rkhunter > >>> fully works yet. I ended up correcting the typo and recompiling. Now > >>> rkhunter no longer throws the warning. > >>> > >>> Wally > >>> > >>> > >>> On Tue, Mar 11, 2014 at 2:54 PM, Steven Kneizys <[email protected] > > > >>> wrote: > >>>> > >>>> I see that in the source: > >>>> > >>>> .asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford > >>>> University)" > >>>> > >>>> And should be: > >>>> > >>>> .asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg > (Stanford > >>>> University)" > >>>> > >>>> I am just wondering why that rkhunter would possibly think that was a > >>>> vulnerability! > >>>> > >>>> Steve... > >>>> > >>>> > >>>> On Tue, Mar 11, 2014 at 3:12 PM, Wally <[email protected]> wrote: > >>>>> > >>>>> Greetings. I have compiled openssh 6.5p1, openssl 1.0.1f and > rkhunter > >>>>> 1.4.2. > >>>>> > >>>>> Rkhunter shows the following message: > >>>>> [ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible > >>>>> rootkit: Trojaned SSH daemon > >>>>> > >>>>> OpenSSH is compiled with OpenSSL support, and the string "aion" that > is > >>>>> identified as a possible root kit by rkhunter is found inside > >>>>> "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file. It looks > like a > >>>>> simple typo on line 1063. Could the developers please take a look > and > >>>>> possibly repackage the release? > >>>>> > >>>>> Thanks > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Steve Kneizys > >>>> Senior Business Process Engineer > >>>> Voice: (610) 256-1396 [For Emergency Service (888)864-3282] > >>>> Ferrilli Information Group -- Quality Service and Solutions for Higher > >>>> Education > >>>> web: http://www.ferrilli.com/ > >>>> > >>>> Making you a success while exceeding your expectations. > >>> > >>> > >> > >> > >> > >> -- > >> Steve Kneizys > >> Senior Business Process Engineer > >> Voice: (610) 256-1396 [For Emergency Service (888)864-3282] > >> Ferrilli Information Group -- Quality Service and Solutions for Higher > >> Education > >> web: http://www.ferrilli.com/ > >> > >> Making you a success while exceeding your expectations. > > > > > > > > -- > Steve Kneizys > Senior Business Process Engineer > Voice: (610) 256-1396 [For Emergency Service (888)864-3282] > Ferrilli Information Group -- Quality Service and Solutions for Higher > Education > web: http://www.ferrilli.com/ > > Making you a success while exceeding your expectations. >
