On Mar 4, 2011, at 2:30 PM, dan (ddp) wrote: > I haven't done much research into this, but my guess would be that > this is a false positive. > /dev/shm seems to be some strange shared memory access. > lsof is claiming that those files are deleted (type = DEL). > > My best guess would be that this is some kind of strange interaction > between /dev/shm, the clustering stuff, and OSSEC's checks. I'd hit up > support at redhat to see if they have any thoughts on the matter.
This happens when a file is deleted underneath an OSSEC rootkit scan. I've seen it a few times and every time it happens it's the same explanation. --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
