The "debsums" program while check the checksums of packages with what they
are supposed to be.
To be safest you should boot to something trusted rather than the main
hard-drive since the rootkit could mask the changed files.
http://manpages.ubuntu.com/manpages/lucid/man1/debsums.1.html
On Mon, 23 Jan 2012, Dan Schlitt wrote:
It is definitely not a header file.
I did reinstall the ssh but the number of files that were removed when
removing openssl was a bit daunting so I didn't do it.
I don't intentionally have the openssl development package installed
The installed versions are openssl 0.9.8k-7ubuntu8.6 and ssh
1:5.3p1-3ubuntu7 if that is useful information.
I jsut removed an ssl development package and all the .h files in that
directory went away but the file in question remained. I just checked
again and the file must be world writeable of the ssh client crashes.
It certainly looks like an attempt to hide that file.
/dan
--
Dan Schlitt
schl...@theworld.com
On Mon, 23 Jan 2012, Brad Hudson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
And then he noticed the note about ssh dying if the file is not
writable ...
Considering the ssh crash I would agree that ssh could be compromised.
The best thing to do would be to re-install all ssh/ssl related
packages. Before doing this make sure you clear your cache, validate
your apt sources (to make sure they are the dist sources) and force
apt to re-download/reinstall.
After the re-install it would be a good time to change all passwords,
just in case.
Brad
On 01/23/2012 12:35 PM, Brad Hudson wrote:
Dan;
It is most likely from a dev package. I have an aes.h on my
system that comes from libssl-dev. I have no aes1.h.
$ dpkg-query -S /usr/include/openssl/aes.h libssl-dev:
/usr/include/openssl/aes.h
Is the file an actual header file? If so it should start with
something like the following, with a lot of defines and includes
in the actual code.
/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ /*
====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
... #ifndef HEADER_AES_H #define HEADER_AES_H
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_AES #error AES is disabled. #endif
What version of Ubuntu/openssl are you currently running? The .h
files would only be used at compile time, if you are worried about
it there is no reason you could not either remove the file or the
-dev package it belongs to (unless you want to compile something
with ssl support).
Brad
On 01/23/2012 11:51 AM, Dan Schlitt wrote:
A suspicious file has appeared on my Ubuntu linux box. It is in
a strage place for a file that is written to -
/usr/include/openssl/aes1.h. It contains plain text information
that shouldn't be kept.
I have looked diligently to find where it is coming from without
finding anything.
It is definitely connected in some way to ssh (which I have
removed and reinstalled to no effect.) If the file is not world
writable ssh crashes after connecting and logging in to the
remote end. It doesn't mind the read permissions being removed.
Does anyone recognize the malware or configuration that this
belongs to.
Any help would be appreciated.
/dan
-- Dan Schlitt schl...@theworld.com
_______________________________________________ Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list
provided by the League of Professional System Administrators
http://lopsa.org/
- --
Brad Hudson
SA Team Lead
The Pythian Group - love your data
Desk: 613-565-8696 x202
IM: pythianhudson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8dnHUACgkQQ6JZA6y/BxmgnwCfbKMzuCRiYMppev0BeDnIeNDp
NQQAmwXPJ7+WlOCbD1W2lw7mcDcSD0q8
=BITl
-----END PGP SIGNATURE-----
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
--
Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/
"To stay awake all night adds a day to your life" - Stilgar | eMT.
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
