My first thought would be a hardlink or symlink, not necessarily malware. If you search either for another file w/ the same inode # or a symlink that points at that path (in any of the variety of ways to do so), do you find anything? Alternatively, you could do an strace on ssh and see what files it's accessing. It sounds like it'd be something opened w/ read-write or write-only privs, but if the process is crashing, it should be pretty obvious.
On Mon, Jan 23, 2012 at 11:51 AM, Dan Schlitt <d...@2600c.com> wrote: > > A suspicious file has appeared on my Ubuntu linux box. It is in a strage > place for a file that is written to - /usr/include/openssl/aes1.h. It > contains plain text information that shouldn't be kept. > > I have looked diligently to find where it is coming from without finding > anything. > > It is definitely connected in some way to ssh (which I have removed and > reinstalled to no effect.) If the file is not world writable ssh crashes > after connecting and logging in to the remote end. It doesn't mind the > read permissions being removed. > > Does anyone recognize the malware or configuration that this belongs to. > > Any help would be appreciated. >
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
