| 1 |
On Thursday 14 Apr 2016 19:43:52 Jonathan Callen wrote: |
| 2 |
> On 04/14/2016 04:40 PM, Mick wrote: |
| 3 |
> > I run chkrootkit and rkhunter on my laptop. Suddenly I noticed |
| 4 |
> > this in my logs: |
| 5 |
> > |
| 6 |
> > /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation |
| 7 |
> > Windigo installetd |
| 8 |
> > |
| 9 |
> > |
| 10 |
> > Then, rkhunter shows: |
| 11 |
> > |
| 12 |
> > [20:23:27] Info: Starting test name 'filesystem' [20:23:27] |
| 13 |
> > Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to |
| 14 |
> > 'THOROUGH' [20:23:33] Checking /dev for suspicious file types |
| 15 |
> > [ Warning ] [20:23:33] Warning: Suspicious file types found in |
| 16 |
> > /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data |
| 17 |
> > [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] |
| 18 |
> > /dev/shm/pulse-shm-2469735543: data [20:23:33] |
| 19 |
> > /dev/shm/pulse-shm-2586322339: data [20:23:33] |
| 20 |
> > /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for |
| 21 |
> > hidden files and directories [ Warning ] [20:23:34] Warning: |
| 22 |
> > Hidden file found: /usr/share/man/man5/.k5login.5: troff or |
| 23 |
> > preprocessor input, ASCII text [20:23:34] Warning: Hidden file |
| 24 |
> > found: /usr/share/man/man5/.k5identity.5: troff or preprocessor |
| 25 |
> > input, ASCII text [20:23:34] Checking for missing log files |
| 26 |
> > [ Skipped ] [20:23:34] Checking for empty log files |
| 27 |
> > [ Skipped ] |
| 28 |
> > |
| 29 |
> > |
| 30 |
> > I search on the errors and I arrive at this FAQs: |
| 31 |
> > |
| 32 |
> > https://www.cert-bund.de/ebury-faq |
| 33 |
> > |
| 34 |
> > |
| 35 |
> > Now, I frequently login using ssh into remote servers and LAN boxen |
| 36 |
> > for admin purposes, but not the other way around. Is my box |
| 37 |
> > compromised, or is this two false positives in a row? |
| 38 |
> > |
| 39 |
> > Are you getting anything similar on your systems? |
| 40 |
> |
| 41 |
> The hidden files in /usr/share/man/man5 are definitely false |
| 42 |
> positives. These two files are installed by the app-crypt/mit-krb5 |
| 43 |
> package, and just allow you to type "man .k5login" instead of "man |
| 44 |
> k5login" to get information about the ".k5login" file that you might |
| 45 |
> want to create in your home directory (if using kerberos). |
| 46 |
|
| 47 |
OK, this is good to know. I am not using kerberos, but I think it was |
| 48 |
installed as a dependency somewhere along the line. |
| 49 |
|
| 50 |
|
| 51 |
> The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio |
| 52 |
> for its own internal use; applications that may play sounds through |
| 53 |
> pulseaudio will create those files automatically. |
| 54 |
> |
| 55 |
> The PostgreSQL.* file is likely also a false positive, but I do not |
| 56 |
> have postgres installed here to confirm. |
| 57 |
|
| 58 |
I can't think why postgres would be flagged up as a warning. I use it for |
| 59 |
akonadi instead of mysql, so unless some email ran a sql injection on it via |
| 60 |
kmail and got access to the database, it should be OK. |
| 61 |
|
| 62 |
All these chrootkit and rkhunter warnings are about /dev/shm/ files/devices. |
| 63 |
Is there something that makes anything in /dev/shm inherently suspicious? |
| 64 |
|
| 65 |
-- |
| 66 |
Regards, |
| 67 |
Mick |
Archives