| 1 |
I run chkrootkit and rkhunter on my laptop. Suddenly I noticed this in my |
| 2 |
logs: |
| 3 |
|
| 4 |
/dev/shm/pulse-shm-2469735543 |
| 5 |
Possible Linux/Ebury - Operation Windigo installetd |
| 6 |
|
| 7 |
|
| 8 |
Then, rkhunter shows: |
| 9 |
|
| 10 |
[20:23:27] Info: Starting test name 'filesystem' |
| 11 |
[20:23:27] Performing filesystem checks |
| 12 |
[20:23:27] Info: SCAN_MODE_DEV set to 'THOROUGH' |
| 13 |
[20:23:33] Checking /dev for suspicious file types [ Warning ] |
| 14 |
[20:23:33] Warning: Suspicious file types found in /dev: |
| 15 |
[20:23:33] /dev/shm/pulse-shm-3629268439: data |
| 16 |
[20:23:33] /dev/shm/pulse-shm-2350047684: data |
| 17 |
[20:23:33] /dev/shm/pulse-shm-2469735543: data |
| 18 |
[20:23:33] /dev/shm/pulse-shm-2586322339: data |
| 19 |
[20:23:33] /dev/shm/PostgreSQL.1804289383: data |
| 20 |
[20:23:34] Checking for hidden files and directories [ Warning ] |
| 21 |
[20:23:34] Warning: Hidden file found: /usr/share/man/man5/.k5login.5: troff |
| 22 |
or preprocessor input, ASCII text |
| 23 |
[20:23:34] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5: |
| 24 |
troff or preprocessor input, ASCII text |
| 25 |
[20:23:34] Checking for missing log files [ Skipped ] |
| 26 |
[20:23:34] Checking for empty log files [ Skipped ] |
| 27 |
|
| 28 |
|
| 29 |
I search on the errors and I arrive at this FAQs: |
| 30 |
|
| 31 |
https://www.cert-bund.de/ebury-faq |
| 32 |
|
| 33 |
|
| 34 |
Now, I frequently login using ssh into remote servers and LAN boxen for admin |
| 35 |
purposes, but not the other way around. Is my box compromised, or is this two |
| 36 |
false positives in a row? |
| 37 |
|
| 38 |
Are you getting anything similar on your systems? |
| 39 |
-- |
| 40 |
Regards, |
| 41 |
Mick |
Archives