-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/14/2016 04:40 PM, Mick wrote: > I run chkrootkit and rkhunter on my laptop. Suddenly I noticed > this in my logs: > > /dev/shm/pulse-shm-2469735543 Possible Linux/Ebury - Operation > Windigo installetd > > > Then, rkhunter shows: > > [20:23:27] Info: Starting test name 'filesystem' [20:23:27] > Performing filesystem checks [20:23:27] Info: SCAN_MODE_DEV set to > 'THOROUGH' [20:23:33] Checking /dev for suspicious file types > [ Warning ] [20:23:33] Warning: Suspicious file types found in > /dev: [20:23:33] /dev/shm/pulse-shm-3629268439: data > [20:23:33] /dev/shm/pulse-shm-2350047684: data [20:23:33] > /dev/shm/pulse-shm-2469735543: data [20:23:33] > /dev/shm/pulse-shm-2586322339: data [20:23:33] > /dev/shm/PostgreSQL.1804289383: data [20:23:34] Checking for > hidden files and directories [ Warning ] [20:23:34] Warning: > Hidden file found: /usr/share/man/man5/.k5login.5: troff or > preprocessor input, ASCII text [20:23:34] Warning: Hidden file > found: /usr/share/man/man5/.k5identity.5: troff or preprocessor > input, ASCII text [20:23:34] Checking for missing log files > [ Skipped ] [20:23:34] Checking for empty log files > [ Skipped ] > > > I search on the errors and I arrive at this FAQs: > > https://www.cert-bund.de/ebury-faq > > > Now, I frequently login using ssh into remote servers and LAN boxen > for admin purposes, but not the other way around. Is my box > compromised, or is this two false positives in a row? > > Are you getting anything similar on your systems? >
The hidden files in /usr/share/man/man5 are definitely false positives. These two files are installed by the app-crypt/mit-krb5 package, and just allow you to type "man .k5login" instead of "man k5login" to get information about the ".k5login" file that you might want to create in your home directory (if using kerberos). The files in /dev/shm/ named "pulse-shm-*" are created by pulseaudio for its own internal use; applications that may play sounds through pulseaudio will create those files automatically. The PostgreSQL.* file is likely also a false positive, but I do not have postgres installed here to confirm. - -- Jonathan Callen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXECs4AAoJEEIQbvYRB3mgr94QAIztwA+j469ZZOFTFu7IHmCt bWg2kHGA87nsNN4eQBrd2pqpHKTyMW3RrGYfstBGUX6/Qlt5QtP7D4FzIeFylNZI gsJjpPowI4b//9b/W7IHrAfeOH9SyofryoZW/gDNmt3P/MRr1txPKQ/WWSj1i8kU BgBrgJ3QbrP6Iu5HqyqwWc8oiMmMMLtDCzq2O203HpWqxiqqjUnviin1YY1s5+lP WiCrK/AMhRXkZhvG2dVhQEoi1uBq535PwLghodl85WehZJHm/oWvda74XhiZvGXf iF53CPb2qRY+Qu9dW6X/9cYXIOGiZH8N+vIoSQ0/WWucNaBPqaKqcfbDmuIroj+e kDTWX1QsT8rj3rS57yEk7aLOLtF9tLgO1Eu46J2HE7ULbjpcRqUj2uylz4NH2knR I1Hmpoy9WLJlqKaisFiCW9rywlRPjgUFp9oM1Tuv4UrjaefV7fSG7QHAgzXEr/8z A5A06tSIDDRi9oTfzFYCfsur9XAIxih0yKBiujJbpbAFlRo39bJcoDfNYP4oFiX9 meO1oODp3JYq2o3XiNpUuPx5d5+60nWalJ7nHHlLyl0oMUUQOmjUKmDronQWjMvp siK+bFH+Vl8eNcP8aOSOZO8CuPQtLsBbJJKnt3ZGbNLsquhuFBeDC+UJbmAV8Op0 4TEs+1Iw5qe6AQMD0UAz =TVu5 -----END PGP SIGNATURE-----
