On 2012-01-23 09:51, Dan Schlitt wrote:
A suspicious file has appeared on my Ubuntu linux box. It is in a strage place for a file that is written to - /usr/include/openssl/aes1.h. It contains plain text information that shouldn't be kept.
Have you done a recent update on that box?
It is definitely connected in some way to ssh (which I have removed and reinstalled to no effect.) If the file is not world writable ssh crashes after connecting and logging in to the remote end. It doesn't mind the read permissions being removed.
That file is definitely on my current Ubuntu box, but it is only writable by root. I can't think of any reason why access to an include file would be necessary for a binary. It definitely does sound like the version of ssh you are running has been compromised, and that they are just using an existing file for a different purpose in order not to raise any suspicion.
-- Yves. http://www.SollerS.ca/ http://ipv6.SollerS.ca http://blog.zioup.org/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
