-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And then he noticed the note about ssh dying if the file is not writable ...
Considering the ssh crash I would agree that ssh could be compromised. The best thing to do would be to re-install all ssh/ssl related packages. Before doing this make sure you clear your cache, validate your apt sources (to make sure they are the dist sources) and force apt to re-download/reinstall. After the re-install it would be a good time to change all passwords, just in case. Brad On 01/23/2012 12:35 PM, Brad Hudson wrote: > Dan; > > It is most likely from a dev package. I have an aes.h on my > system that comes from libssl-dev. I have no aes1.h. > > $ dpkg-query -S /usr/include/openssl/aes.h libssl-dev: > /usr/include/openssl/aes.h > > Is the file an actual header file? If so it should start with > something like the following, with a lot of defines and includes > in the actual code. > > /* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ /* > ==================================================================== > > * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. > ... #ifndef HEADER_AES_H #define HEADER_AES_H > > #include <openssl/opensslconf.h> > > #ifdef OPENSSL_NO_AES #error AES is disabled. #endif > > What version of Ubuntu/openssl are you currently running? The .h > files would only be used at compile time, if you are worried about > it there is no reason you could not either remove the file or the > -dev package it belongs to (unless you want to compile something > with ssl support). > > Brad > > On 01/23/2012 11:51 AM, Dan Schlitt wrote: > >> A suspicious file has appeared on my Ubuntu linux box. It is in >> a strage place for a file that is written to - >> /usr/include/openssl/aes1.h. It contains plain text information >> that shouldn't be kept. > >> I have looked diligently to find where it is coming from without >> finding anything. > >> It is definitely connected in some way to ssh (which I have >> removed and reinstalled to no effect.) If the file is not world >> writable ssh crashes after connecting and logging in to the >> remote end. It doesn't mind the read permissions being removed. > >> Does anyone recognize the malware or configuration that this >> belongs to. > >> Any help would be appreciated. > >> /dan > >> -- Dan Schlitt schl...@theworld.com > > >> _______________________________________________ Tech mailing list >> Tech@lists.lopsa.org >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list >> provided by the League of Professional System Administrators >> http://lopsa.org/ > > - -- Brad Hudson SA Team Lead The Pythian Group - love your data Desk: 613-565-8696 x202 IM: pythianhudson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8dnHUACgkQQ6JZA6y/BxmgnwCfbKMzuCRiYMppev0BeDnIeNDp NQQAmwXPJ7+WlOCbD1W2lw7mcDcSD0q8 =BITl -----END PGP SIGNATURE----- _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
