It is definitely not a header file. I did reinstall the ssh but the number of files that were removed when removing openssl was a bit daunting so I didn't do it.
I don't intentionally have the openssl development package installed The installed versions are openssl 0.9.8k-7ubuntu8.6 and ssh 1:5.3p1-3ubuntu7 if that is useful information. I jsut removed an ssl development package and all the .h files in that directory went away but the file in question remained. I just checked again and the file must be world writeable of the ssh client crashes. It certainly looks like an attempt to hide that file. /dan -- Dan Schlitt [email protected] On Mon, 23 Jan 2012, Brad Hudson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > And then he noticed the note about ssh dying if the file is not > writable ... > > Considering the ssh crash I would agree that ssh could be compromised. > The best thing to do would be to re-install all ssh/ssl related > packages. Before doing this make sure you clear your cache, validate > your apt sources (to make sure they are the dist sources) and force > apt to re-download/reinstall. > > After the re-install it would be a good time to change all passwords, > just in case. > > Brad > > > On 01/23/2012 12:35 PM, Brad Hudson wrote: > > Dan; > > > > It is most likely from a dev package. I have an aes.h on my > > system that comes from libssl-dev. I have no aes1.h. > > > > $ dpkg-query -S /usr/include/openssl/aes.h libssl-dev: > > /usr/include/openssl/aes.h > > > > Is the file an actual header file? If so it should start with > > something like the following, with a lot of defines and includes > > in the actual code. > > > > /* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ /* > > ==================================================================== > > > > > * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. > > ... #ifndef HEADER_AES_H #define HEADER_AES_H > > > > #include <openssl/opensslconf.h> > > > > #ifdef OPENSSL_NO_AES #error AES is disabled. #endif > > > > What version of Ubuntu/openssl are you currently running? The .h > > files would only be used at compile time, if you are worried about > > it there is no reason you could not either remove the file or the > > -dev package it belongs to (unless you want to compile something > > with ssl support). > > > > Brad > > > > On 01/23/2012 11:51 AM, Dan Schlitt wrote: > > > >> A suspicious file has appeared on my Ubuntu linux box. It is in > >> a strage place for a file that is written to - > >> /usr/include/openssl/aes1.h. It contains plain text information > >> that shouldn't be kept. > > > >> I have looked diligently to find where it is coming from without > >> finding anything. > > > >> It is definitely connected in some way to ssh (which I have > >> removed and reinstalled to no effect.) If the file is not world > >> writable ssh crashes after connecting and logging in to the > >> remote end. It doesn't mind the read permissions being removed. > > > >> Does anyone recognize the malware or configuration that this > >> belongs to. > > > >> Any help would be appreciated. > > > >> /dan > > > >> -- Dan Schlitt [email protected] > > > > > >> _______________________________________________ Tech mailing list > >> [email protected] > >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list > >> provided by the League of Professional System Administrators > >> http://lopsa.org/ > > > > > > - -- > Brad Hudson > SA Team Lead > The Pythian Group - love your data > Desk: 613-565-8696 x202 > IM: pythianhudson > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk8dnHUACgkQQ6JZA6y/BxmgnwCfbKMzuCRiYMppev0BeDnIeNDp > NQQAmwXPJ7+WlOCbD1W2lw7mcDcSD0q8 > =BITl > -----END PGP SIGNATURE----- > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
