Greetings;
fedora F10 system, quad core phenom, 4GB ram, ASUS M2N-SLI Deluxe mobo
kernel-2.6.32-rc5, uptime 2d 11:27 at the moment, and the system feels good.
rkhunter sent me an email this morning complaining about a data file in
/dev/shm.
On looking at it:
[root@coyote Download]# ls -l /dev/shm
total 28
-rw-r----- 1 root root 4096 2009-10-25 12:09 mono.10594
-r-------- 1 root root 67108904 2009-10-24 00:28 pulse-shm-3880918577
-rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_ReadPrefs_root
-rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_REL_root
-rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_WritePrefs_root
On grepping for SHM in the .config, I find SHMEM set to y, but about an hours
worth of wandering around in a 'make xconfig' has failed to actually find it.
That pulse-shm-3880918577 file at over 67 megabytes is all $00 till $04000000
into it, then there is 6 non-zero bytes and the rest is back to all balls.
Is this some indicator of a new rootkit or WTF?
It was the mono.10594 file that rkhunter-1.3.4 was concerned about. I, since
I can't make a mental connection between SHMEM and /dev/shm, am concerned
about that whole tree of data which seems totally out of place in the /dev
tree.
I hate to be a pest but Many Thanks for any enlightenment on this.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The NRA is offering FREE Associate memberships to anyone who wants them.
<https://www.nrahq.org/nrabonus/accept-membership.asp>
Microsoft is to Software as McDonalds is to Cuisine.
On Mon, 26 Oct 2009 11:59:04 -0400 Gene Heskett wrote:
> Greetings;
>
> fedora F10 system, quad core phenom, 4GB ram, ASUS M2N-SLI Deluxe mobo
> kernel-2.6.32-rc5, uptime 2d 11:27 at the moment, and the system feels good.
>
> rkhunter sent me an email this morning complaining about a data file in
> /dev/shm.
>
> On looking at it:
> [root@coyote Download]# ls -l /dev/shm
> total 28
> -rw-r----- 1 root root 4096 2009-10-25 12:09 mono.10594
> -r-------- 1 root root 67108904 2009-10-24 00:28 pulse-shm-3880918577
> -rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_ReadPrefs_root
> -rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_REL_root
> -rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_WritePrefs_root
>
> On grepping for SHM in the .config, I find SHMEM set to y, but about an hours
> worth of wandering around in a 'make xconfig' has failed to actually find it.
In xconfig, you can use /f to search for kconfig symbols.
SHMEM is under the General Setup menu (on x86), then under the
Configure standard kernel features (for small systems)
menu (i.e., EMBEDDED, so only shows up when EMBEDDED is enabled).
> That pulse-shm-3880918577 file at over 67 megabytes is all $00 till $04000000
> into it, then there is 6 non-zero bytes and the rest is back to all balls.
>
> Is this some indicator of a new rootkit or WTF?
>
> It was the mono.10594 file that rkhunter-1.3.4 was concerned about. I, since
> I can't make a mental connection between SHMEM and /dev/shm, am concerned
> about that whole tree of data which seems totally out of place in the /dev
> tree.
>
> I hate to be a pest but Many Thanks for any enlightenment on this.
Sorry, no idea about that.
---
~Randy
On Mon, 26 Oct 2009 11:59:04 EDT, Gene Heskett said:
> -r-------- 1 root root 67108904 2009-10-24 00:28 pulse-shm-3880918577
> That pulse-shm-3880918577 file at over 67 megabytes is all $00 till $04000000
> into it, then there is 6 non-zero bytes and the rest is back to all balls.
>
> Is this some indicator of a new rootkit or WTF?
No, it's pulseaudio. It uses shared mem to move audio data between client
programs and the pulseaudio server.
On Mon, Oct 26, 2009 at 11:59:04AM -0400, Gene Heskett wrote:
> On looking at it:
> [root@coyote Download]# ls -l /dev/shm
> total 28
> -rw-r----- 1 root root 4096 2009-10-25 12:09 mono.10594
> -r-------- 1 root root 67108904 2009-10-24 00:28 pulse-shm-3880918577
> -rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_ReadPrefs_root
> -rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_REL_root
> -rw-rw-rw- 1 root root 16 2009-10-24 01:17 sem.ADBE_WritePrefs_root
>
> On grepping for SHM in the .config, I find SHMEM set to y, but about an hours
> worth of wandering around in a 'make xconfig' has failed to actually find it.
No wonder, it has nothing to do with the kernel. glibc uses /dev/shm to
implement POSIX shared memory, see shm_overview(7).
> That pulse-shm-3880918577 file at over 67 megabytes is all $00 till $04000000
> into it, then there is 6 non-zero bytes and the rest is back to all balls.
If it bothers you then do not use pulseaudio.
> Is this some indicator of a new rootkit or WTF?
Not neccessarily. However since most people never look into /dev/shm,
it's not a bad place to hide data. But it will go away at reboot, so
it's not that useful for a rootkit.
Gabor
--
---------------------------------------------------------
MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
---------------------------------------------------------