John Barton <jbarton@...> writes: > > Just curious if anyone has encountered this warning before, I have not been able to find any reports online. > I have a server hosted in AWS that has been generating rkhunter warnings for the following files almost > since it was built: > > ---------------------- Start Rootkit Hunter Scan ---------------------- > Warning: Suspicious file types found in /dev: > /dev/shm/mongoc-15989: 8086 relocatable (Microsoft) > /dev/shm/mongoc-16053: 8086 relocatable (Microsoft) > > ----------------------- End Rootkit Hunter Scan ----------------------- > > The file names change, and they gradually increase over time. If I run strings against one of the files, it is
Hello John I find a lot of such files on my server too. Splunk seems to be the application using these files: lsof |grep mongoc splunkd 7953 root mem REG 144,223 4736 1428742688 /dev/shm/mongoc-7953 splunkd 7953 root mem REG 182,744689 165544 156221 /opt/splunk/lib/libmongoc-1.0.so.0.0.0 splunkd 7954 root mem REG 182,744689 165544 156221 /opt/splunk/lib/libmongoc-1.0.so.0.0.0 splunkd 8034 root mem REG 144,223 4736 1487472321 /dev/shm/mongoc-8034 splunkd 8034 root mem REG 182,744689 165544 156221 /opt/splunk/lib/libmongoc-1.0.so.0.0.0 Regards /François ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
