1 |
I run chkrootkit and rkhunter on my laptop. Suddenly I noticed this in my |
2 |
logs: |
3 |
|
4 |
/dev/shm/pulse-shm-2469735543 |
5 |
Possible Linux/Ebury - Operation Windigo installetd |
6 |
|
7 |
|
8 |
Then, rkhunter shows: |
9 |
|
10 |
[20:23:27] Info: Starting test name 'filesystem' |
11 |
[20:23:27] Performing filesystem checks |
12 |
[20:23:27] Info: SCAN_MODE_DEV set to 'THOROUGH' |
13 |
[20:23:33] Checking /dev for suspicious file types [ Warning ] |
14 |
[20:23:33] Warning: Suspicious file types found in /dev: |
15 |
[20:23:33] /dev/shm/pulse-shm-3629268439: data |
16 |
[20:23:33] /dev/shm/pulse-shm-2350047684: data |
17 |
[20:23:33] /dev/shm/pulse-shm-2469735543: data |
18 |
[20:23:33] /dev/shm/pulse-shm-2586322339: data |
19 |
[20:23:33] /dev/shm/PostgreSQL.1804289383: data |
20 |
[20:23:34] Checking for hidden files and directories [ Warning ] |
21 |
[20:23:34] Warning: Hidden file found: /usr/share/man/man5/.k5login.5: troff |
22 |
or preprocessor input, ASCII text |
23 |
[20:23:34] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5: |
24 |
troff or preprocessor input, ASCII text |
25 |
[20:23:34] Checking for missing log files [ Skipped ] |
26 |
[20:23:34] Checking for empty log files [ Skipped ] |
27 |
|
28 |
|
29 |
I search on the errors and I arrive at this FAQs: |
30 |
|
31 |
https://www.cert-bund.de/ebury-faq |
32 |
|
33 |
|
34 |
Now, I frequently login using ssh into remote servers and LAN boxen for admin |
35 |
purposes, but not the other way around. Is my box compromised, or is this two |
36 |
false positives in a row? |
37 |
|
38 |
Are you getting anything similar on your systems? |
39 |
-- |
40 |
Regards, |
41 |
Mick |