1 |
On 15/04/2016 07:39, Mick wrote: |
2 |
> On Thursday 14 Apr 2016 19:43:52 Jonathan Callen wrote: |
3 |
>> On 04/14/2016 04:40 PM, Mick wrote: |
4 |
>>> I run chkrootkit and rkhunter on my laptop. Suddenly I noticed |
5 |
>>> this in my logs: |
6 |
>>> |
7 |
>>> /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation |
8 |
>>> Windigo installetd |
9 |
>>> |
10 |
>>> |
11 |
>>> Then, rkhunter shows: |
12 |
>>> |
13 |
>>> [20:23:27] Info: Starting test name 'filesystem' [20:23:27] |
14 |
>>> Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to |
15 |
>>> 'THOROUGH' [20:23:33] Checking /dev for suspicious file types |
16 |
>>> [ Warning ] [20:23:33] Warning: Suspicious file types found in |
17 |
>>> /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data |
18 |
>>> [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] |
19 |
>>> /dev/shm/pulse-shm-2469735543: data [20:23:33] |
20 |
>>> /dev/shm/pulse-shm-2586322339: data [20:23:33] |
21 |
>>> /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for |
22 |
>>> hidden files and directories [ Warning ] [20:23:34] Warning: |
23 |
>>> Hidden file found: /usr/share/man/man5/.k5login.5: troff or |
24 |
>>> preprocessor input, ASCII text [20:23:34] Warning: Hidden file |
25 |
>>> found: /usr/share/man/man5/.k5identity.5: troff or preprocessor |
26 |
>>> input, ASCII text [20:23:34] Checking for missing log files |
27 |
>>> [ Skipped ] [20:23:34] Checking for empty log files |
28 |
>>> [ Skipped ] |
29 |
>>> |
30 |
>>> |
31 |
>>> I search on the errors and I arrive at this FAQs: |
32 |
>>> |
33 |
>>> https://www.cert-bund.de/ebury-faq |
34 |
>>> |
35 |
>>> |
36 |
>>> Now, I frequently login using ssh into remote servers and LAN boxen |
37 |
>>> for admin purposes, but not the other way around. Is my box |
38 |
>>> compromised, or is this two false positives in a row? |
39 |
>>> |
40 |
>>> Are you getting anything similar on your systems? |
41 |
>> |
42 |
>> The hidden files in /usr/share/man/man5 are definitely false |
43 |
>> positives. These two files are installed by the app-crypt/mit-krb5 |
44 |
>> package, and just allow you to type "man .k5login" instead of "man |
45 |
>> k5login" to get information about the ".k5login" file that you might |
46 |
>> want to create in your home directory (if using kerberos). |
47 |
> |
48 |
> OK, this is good to know. I am not using kerberos, but I think it was |
49 |
> installed as a dependency somewhere along the line. |
50 |
> |
51 |
> |
52 |
>> The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio |
53 |
>> for its own internal use; applications that may play sounds through |
54 |
>> pulseaudio will create those files automatically. |
55 |
>> |
56 |
>> The PostgreSQL.* file is likely also a false positive, but I do not |
57 |
>> have postgres installed here to confirm. |
58 |
> |
59 |
> I can't think why postgres would be flagged up as a warning. I use it for |
60 |
> akonadi instead of mysql, so unless some email ran a sql injection on it via |
61 |
> kmail and got access to the database, it should be OK. |
62 |
> |
63 |
> All these chrootkit and rkhunter warnings are about /dev/shm/ files/devices. |
64 |
> Is there something that makes anything in /dev/shm inherently suspicious? |
65 |
> |
66 |
|
67 |
|
68 |
Nope. It's just a place where shared memory cna be used. |
69 |
|
70 |
By far the most likely is that the script you use has an incomplete list |
71 |
of things that can be found in there |
72 |
|
73 |
-- |
74 |
Alan McKinnon |
75 |
alan.mckinnon@×××××.com |