Re: [gentoo-user] Re: Has my PC been compromised?
On Friday 15 Apr 2016 09:48:47 Neil Bothwick wrote: > I have these entries in /etc/rkhunter.conf.local: > > ALLOWDEVFILE="/dev/shm/org.chromium.Chromium.shmem.*" > ALLOWDEVFILE="/dev/shm/pulse-shm-*" > ALLOWHIDDENFILE="/usr/share/man/man5/.k5identity.5.bz2" > ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.bz2" > ALLOWHIDDENFILE="/usr/share/man/man5/.k5identity.5" > ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5" Thank you all for your advice. I have a couple of entries in my rkhunter.conf.local too, but not a wild card like "/dev/shm/pulse-shm-*". I was thinking that if I were a script kiddie, this could be easy picking if I wanted to place a malicious payload on a PC. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Has my PC been compromised?
On Fri, 15 Apr 2016 10:40:34 +0200, Alan McKinnon wrote: > All these chrootkit and rkhunter warnings are about /dev/shm/ > files/devices. > > Is there something that makes anything in /dev/shm inherently > > suspicious? > > > Nope. It's just a place where shared memory cna be used. > > By far the most likely is that the script you use has an incomplete list > of things that can be found in there I have these entries in /etc/rkhunter.conf.local: ALLOWDEVFILE="/dev/shm/org.chromium.Chromium.shmem.*" ALLOWDEVFILE="/dev/shm/pulse-shm-*" ALLOWHIDDENFILE="/usr/share/man/man5/.k5identity.5.bz2" ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.bz2" ALLOWHIDDENFILE="/usr/share/man/man5/.k5identity.5" ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5" -- Neil Bothwick Znqr lbh ybbx! pgpc7AVnDaRzP.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: Has my PC been compromised?
On 15/04/2016 07:39, Mick wrote: > On Thursday 14 Apr 2016 19:43:52 Jonathan Callen wrote: >> On 04/14/2016 04:40 PM, Mick wrote: >>> I run chkrootkit and rkhunter on my laptop. Suddenly I noticed >>> this in my logs: >>> >>> /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation >>> Windigo installetd >>> >>> >>> Then, rkhunter shows: >>> >>> [20:23:27] Info: Starting test name 'filesystem' [20:23:27] >>> Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to >>> 'THOROUGH' [20:23:33] Checking /dev for suspicious file types >>> [ Warning ] [20:23:33] Warning: Suspicious file types found in >>> /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data >>> [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] >>> /dev/shm/pulse-shm-2469735543: data [20:23:33] >>> /dev/shm/pulse-shm-2586322339: data [20:23:33] >>> /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for >>> hidden files and directories [ Warning ] [20:23:34] Warning: >>> Hidden file found: /usr/share/man/man5/.k5login.5: troff or >>> preprocessor input, ASCII text [20:23:34] Warning: Hidden file >>> found: /usr/share/man/man5/.k5identity.5: troff or preprocessor >>> input, ASCII text [20:23:34] Checking for missing log files >>> [ Skipped ] [20:23:34] Checking for empty log files >>> [ Skipped ] >>> >>> >>> I search on the errors and I arrive at this FAQs: >>> >>> https://www.cert-bund.de/ebury-faq >>> >>> >>> Now, I frequently login using ssh into remote servers and LAN boxen >>> for admin purposes, but not the other way around. Is my box >>> compromised, or is this two false positives in a row? >>> >>> Are you getting anything similar on your systems? >> >> The hidden files in /usr/share/man/man5 are definitely false >> positives. These two files are installed by the app-crypt/mit-krb5 >> package, and just allow you to type "man .k5login" instead of "man >> k5login" to get information about the ".k5login" file that you might >> want to create in your home directory (if using kerberos). > > OK, this is good to know. I am not using kerberos, but I think it was > installed as a dependency somewhere along the line. > > >> The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio >> for its own internal use; applications that may play sounds through >> pulseaudio will create those files automatically. >> >> The PostgreSQL.* file is likely also a false positive, but I do not >> have postgres installed here to confirm. > > I can't think why postgres would be flagged up as a warning. I use it for > akonadi instead of mysql, so unless some email ran a sql injection on it via > kmail and got access to the database, it should be OK. > > All these chrootkit and rkhunter warnings are about /dev/shm/ files/devices. > Is there something that makes anything in /dev/shm inherently suspicious? > Nope. It's just a place where shared memory cna be used. By far the most likely is that the script you use has an incomplete list of things that can be found in there -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Re: Has my PC been compromised?
On Thursday 14 Apr 2016 19:43:52 Jonathan Callen wrote: > On 04/14/2016 04:40 PM, Mick wrote: > > I run chkrootkit and rkhunter on my laptop. Suddenly I noticed > > this in my logs: > > > > /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation > > Windigo installetd > > > > > > Then, rkhunter shows: > > > > [20:23:27] Info: Starting test name 'filesystem' [20:23:27] > > Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to > > 'THOROUGH' [20:23:33] Checking /dev for suspicious file types > > [ Warning ] [20:23:33] Warning: Suspicious file types found in > > /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data > > [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] > > /dev/shm/pulse-shm-2469735543: data [20:23:33] > > /dev/shm/pulse-shm-2586322339: data [20:23:33] > > /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for > > hidden files and directories [ Warning ] [20:23:34] Warning: > > Hidden file found: /usr/share/man/man5/.k5login.5: troff or > > preprocessor input, ASCII text [20:23:34] Warning: Hidden file > > found: /usr/share/man/man5/.k5identity.5: troff or preprocessor > > input, ASCII text [20:23:34] Checking for missing log files > > [ Skipped ] [20:23:34] Checking for empty log files > > [ Skipped ] > > > > > > I search on the errors and I arrive at this FAQs: > > > > https://www.cert-bund.de/ebury-faq > > > > > > Now, I frequently login using ssh into remote servers and LAN boxen > > for admin purposes, but not the other way around. Is my box > > compromised, or is this two false positives in a row? > > > > Are you getting anything similar on your systems? > > The hidden files in /usr/share/man/man5 are definitely false > positives. These two files are installed by the app-crypt/mit-krb5 > package, and just allow you to type "man .k5login" instead of "man > k5login" to get information about the ".k5login" file that you might > want to create in your home directory (if using kerberos). OK, this is good to know. I am not using kerberos, but I think it was installed as a dependency somewhere along the line. > The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio > for its own internal use; applications that may play sounds through > pulseaudio will create those files automatically. > > The PostgreSQL.* file is likely also a false positive, but I do not > have postgres installed here to confirm. I can't think why postgres would be flagged up as a warning. I use it for akonadi instead of mysql, so unless some email ran a sql injection on it via kmail and got access to the database, it should be OK. All these chrootkit and rkhunter warnings are about /dev/shm/ files/devices. Is there something that makes anything in /dev/shm inherently suspicious? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: Has my PC been compromised?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/14/2016 04:40 PM, Mick wrote: > I run chkrootkit and rkhunter on my laptop. Suddenly I noticed > this in my logs: > > /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation > Windigo installetd > > > Then, rkhunter shows: > > [20:23:27] Info: Starting test name 'filesystem' [20:23:27] > Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to > 'THOROUGH' [20:23:33] Checking /dev for suspicious file types > [ Warning ] [20:23:33] Warning: Suspicious file types found in > /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data > [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] > /dev/shm/pulse-shm-2469735543: data [20:23:33] > /dev/shm/pulse-shm-2586322339: data [20:23:33] > /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for > hidden files and directories [ Warning ] [20:23:34] Warning: > Hidden file found: /usr/share/man/man5/.k5login.5: troff or > preprocessor input, ASCII text [20:23:34] Warning: Hidden file > found: /usr/share/man/man5/.k5identity.5: troff or preprocessor > input, ASCII text [20:23:34] Checking for missing log files > [ Skipped ] [20:23:34] Checking for empty log files > [ Skipped ] > > > I search on the errors and I arrive at this FAQs: > > https://www.cert-bund.de/ebury-faq > > > Now, I frequently login using ssh into remote servers and LAN boxen > for admin purposes, but not the other way around. Is my box > compromised, or is this two false positives in a row? > > Are you getting anything similar on your systems? > The hidden files in /usr/share/man/man5 are definitely false positives. These two files are installed by the app-crypt/mit-krb5 package, and just allow you to type "man .k5login" instead of "man k5login" to get information about the ".k5login" file that you might want to create in your home directory (if using kerberos). The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio for its own internal use; applications that may play sounds through pulseaudio will create those files automatically. The PostgreSQL.* file is likely also a false positive, but I do not have postgres installed here to confirm. - -- Jonathan Callen -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJXECs4AAoJEEIQbvYRB3mgr94QAIztwA+j469ZZOFTFu7IHmCt bWg2kHGA87nsNN4eQBrd2pqpHKTyMW3RrGYfstBGUX6/Qlt5QtP7D4FzIeFylNZI gsJjpPowI4b//9b/W7IHrAfeOH9SyofryoZW/gDNmt3P/MRr1txPKQ/WWSj1i8kU BgBrgJ3QbrP6Iu5HqyqwWc8oiMmMMLtDCzq2O203HpWqxiqqjUnviin1YY1s5+lP WiCrK/AMhRXkZhvG2dVhQEoi1uBq535PwLghodl85WehZJHm/oWvda74XhiZvGXf iF53CPb2qRY+Qu9dW6X/9cYXIOGiZH8N+vIoSQ0/WWucNaBPqaKqcfbDmuIroj+e kDTWX1QsT8rj3rS57yEk7aLOLtF9tLgO1Eu46J2HE7ULbjpcRqUj2uylz4NH2knR I1Hmpoy9WLJlqKaisFiCW9rywlRPjgUFp9oM1Tuv4UrjaefV7fSG7QHAgzXEr/8z A5A06tSIDDRi9oTfzFYCfsur9XAIxih0yKBiujJbpbAFlRo39bJcoDfNYP4oFiX9 meO1oODp3JYq2o3XiNpUuPx5d5+60nWalJ7nHHlLyl0oMUUQOmjUKmDronQWjMvp siK+bFH+Vl8eNcP8aOSOZO8CuPQtLsBbJJKnt3ZGbNLsquhuFBeDC+UJbmAV8Op0 4TEs+1Iw5qe6AQMD0UAz =TVu5 -END PGP SIGNATURE-