I run chkrootkit and rkhunter on my laptop. Suddenly I noticed this in my logs:
/dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation Windigo installetd Then, rkhunter shows: [20:23:27] Info: Starting test name 'filesystem' [20:23:27] Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to 'THOROUGH' [20:23:33] Checking /dev for suspicious file types [ Warning ] [20:23:33] Warning: Suspicious file types found in /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] /dev/shm/pulse-shm-2469735543: data [20:23:33] /dev/shm/pulse-shm-2586322339: data [20:23:33] /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for hidden files and directories [ Warning ] [20:23:34] Warning: Hidden file found: /usr/share/man/man5/.k5login.5: troff or preprocessor input, ASCII text [20:23:34] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5: troff or preprocessor input, ASCII text [20:23:34] Checking for missing log files [ Skipped ] [20:23:34] Checking for empty log files [ Skipped ] I search on the errors and I arrive at this FAQs: https://www.cert-bund.de/ebury-faq Now, I frequently login using ssh into remote servers and LAN boxen for admin purposes, but not the other way around. Is my box compromised, or is this two false positives in a row? Are you getting anything similar on your systems? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
