On 15/04/2016 07:39, Mick wrote: > On Thursday 14 Apr 2016 19:43:52 Jonathan Callen wrote: >> On 04/14/2016 04:40 PM, Mick wrote: >>> I run chkrootkit and rkhunter on my laptop. Suddenly I noticed >>> this in my logs: >>> >>> /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation >>> Windigo installetd >>> >>> >>> Then, rkhunter shows: >>> >>> [20:23:27] Info: Starting test name 'filesystem' [20:23:27] >>> Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to >>> 'THOROUGH' [20:23:33] Checking /dev for suspicious file types >>> [ Warning ] [20:23:33] Warning: Suspicious file types found in >>> /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data >>> [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] >>> /dev/shm/pulse-shm-2469735543: data [20:23:33] >>> /dev/shm/pulse-shm-2586322339: data [20:23:33] >>> /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for >>> hidden files and directories [ Warning ] [20:23:34] Warning: >>> Hidden file found: /usr/share/man/man5/.k5login.5: troff or >>> preprocessor input, ASCII text [20:23:34] Warning: Hidden file >>> found: /usr/share/man/man5/.k5identity.5: troff or preprocessor >>> input, ASCII text [20:23:34] Checking for missing log files >>> [ Skipped ] [20:23:34] Checking for empty log files >>> [ Skipped ] >>> >>> >>> I search on the errors and I arrive at this FAQs: >>> >>> https://www.cert-bund.de/ebury-faq >>> >>> >>> Now, I frequently login using ssh into remote servers and LAN boxen >>> for admin purposes, but not the other way around. Is my box >>> compromised, or is this two false positives in a row? >>> >>> Are you getting anything similar on your systems? >> >> The hidden files in /usr/share/man/man5 are definitely false >> positives. These two files are installed by the app-crypt/mit-krb5 >> package, and just allow you to type "man .k5login" instead of "man >> k5login" to get information about the ".k5login" file that you might >> want to create in your home directory (if using kerberos). > > OK, this is good to know. I am not using kerberos, but I think it was > installed as a dependency somewhere along the line. > > >> The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio >> for its own internal use; applications that may play sounds through >> pulseaudio will create those files automatically. >> >> The PostgreSQL.* file is likely also a false positive, but I do not >> have postgres installed here to confirm. > > I can't think why postgres would be flagged up as a warning. I use it for > akonadi instead of mysql, so unless some email ran a sql injection on it via > kmail and got access to the database, it should be OK. > > All these chrootkit and rkhunter warnings are about /dev/shm/ files/devices. > Is there something that makes anything in /dev/shm inherently suspicious? >
Nope. It's just a place where shared memory cna be used. By far the most likely is that the script you use has an incomplete list of things that can be found in there -- Alan McKinnon alan.mckin...@gmail.com
