1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA512 |
3 |
|
4 |
On 04/14/2016 04:40 PM, Mick wrote: |
5 |
> I run chkrootkit and rkhunter on my laptop. Suddenly I noticed |
6 |
> this in my logs: |
7 |
> |
8 |
> /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation |
9 |
> Windigo installetd |
10 |
> |
11 |
> |
12 |
> Then, rkhunter shows: |
13 |
> |
14 |
> [20:23:27] Info: Starting test name 'filesystem' [20:23:27] |
15 |
> Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to |
16 |
> 'THOROUGH' [20:23:33] Checking /dev for suspicious file types |
17 |
> [ Warning ] [20:23:33] Warning: Suspicious file types found in |
18 |
> /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data |
19 |
> [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] |
20 |
> /dev/shm/pulse-shm-2469735543: data [20:23:33] |
21 |
> /dev/shm/pulse-shm-2586322339: data [20:23:33] |
22 |
> /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for |
23 |
> hidden files and directories [ Warning ] [20:23:34] Warning: |
24 |
> Hidden file found: /usr/share/man/man5/.k5login.5: troff or |
25 |
> preprocessor input, ASCII text [20:23:34] Warning: Hidden file |
26 |
> found: /usr/share/man/man5/.k5identity.5: troff or preprocessor |
27 |
> input, ASCII text [20:23:34] Checking for missing log files |
28 |
> [ Skipped ] [20:23:34] Checking for empty log files |
29 |
> [ Skipped ] |
30 |
> |
31 |
> |
32 |
> I search on the errors and I arrive at this FAQs: |
33 |
> |
34 |
> https://www.cert-bund.de/ebury-faq |
35 |
> |
36 |
> |
37 |
> Now, I frequently login using ssh into remote servers and LAN boxen |
38 |
> for admin purposes, but not the other way around. Is my box |
39 |
> compromised, or is this two false positives in a row? |
40 |
> |
41 |
> Are you getting anything similar on your systems? |
42 |
> |
43 |
|
44 |
The hidden files in /usr/share/man/man5 are definitely false |
45 |
positives. These two files are installed by the app-crypt/mit-krb5 |
46 |
package, and just allow you to type "man .k5login" instead of "man |
47 |
k5login" to get information about the ".k5login" file that you might |
48 |
want to create in your home directory (if using kerberos). |
49 |
|
50 |
The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio |
51 |
for its own internal use; applications that may play sounds through |
52 |
pulseaudio will create those files automatically. |
53 |
|
54 |
The PostgreSQL.* file is likely also a false positive, but I do not |
55 |
have postgres installed here to confirm. |
56 |
|
57 |
- -- |
58 |
Jonathan Callen |
59 |
-----BEGIN PGP SIGNATURE----- |
60 |
Version: GnuPG v2 |
61 |
|
62 |
iQIcBAEBCgAGBQJXECs4AAoJEEIQbvYRB3mgr94QAIztwA+j469ZZOFTFu7IHmCt |
63 |
bWg2kHGA87nsNN4eQBrd2pqpHKTyMW3RrGYfstBGUX6/Qlt5QtP7D4FzIeFylNZI |
64 |
gsJjpPowI4b//9b/W7IHrAfeOH9SyofryoZW/gDNmt3P/MRr1txPKQ/WWSj1i8kU |
65 |
BgBrgJ3QbrP6Iu5HqyqwWc8oiMmMMLtDCzq2O203HpWqxiqqjUnviin1YY1s5+lP |
66 |
WiCrK/AMhRXkZhvG2dVhQEoi1uBq535PwLghodl85WehZJHm/oWvda74XhiZvGXf |
67 |
iF53CPb2qRY+Qu9dW6X/9cYXIOGiZH8N+vIoSQ0/WWucNaBPqaKqcfbDmuIroj+e |
68 |
kDTWX1QsT8rj3rS57yEk7aLOLtF9tLgO1Eu46J2HE7ULbjpcRqUj2uylz4NH2knR |
69 |
I1Hmpoy9WLJlqKaisFiCW9rywlRPjgUFp9oM1Tuv4UrjaefV7fSG7QHAgzXEr/8z |
70 |
A5A06tSIDDRi9oTfzFYCfsur9XAIxih0yKBiujJbpbAFlRo39bJcoDfNYP4oFiX9 |
71 |
meO1oODp3JYq2o3XiNpUuPx5d5+60nWalJ7nHHlLyl0oMUUQOmjUKmDronQWjMvp |
72 |
siK+bFH+Vl8eNcP8aOSOZO8CuPQtLsBbJJKnt3ZGbNLsquhuFBeDC+UJbmAV8Op0 |
73 |
4TEs+1Iw5qe6AQMD0UAz |
74 |
=TVu5 |
75 |
-----END PGP SIGNATURE----- |