Re: /dev/shm/r?
On Monday 01 of June 2009, Johann Spies wrote:
> I am a bit worried that my computer have been compromised.
>
> Rkhunter reported:
>
> [10:35:47] Warning: Suspicious file types found in /dev:
> [10:35:47] /dev/shm/r: ASCII text
> [10:35:48] Checking for hidden files and directories [ Warning
> ]
> [10:35:48] Warning: Hidden directory found: /etc/.java
> [10:35:48] Warning: Hidden directory found: /dev/.udev
> [10:35:48] Warning: Hidden directory found: /dev/.initramfs
>
> I think the last three lines are not problematic but in /dev/shm/r I found:
>
> spawn /bin/bash
> interact
>
> Do I have reason to be worried?
Well, this really looks suspicious. Look for unexpected processes running,
open ports, etc. Directory /dev/shm/ is world-writable like /tmp, so chances
are that the attacker did not gain root yet. But he might have shell
listening on some port and trying hard to get root using some local exploit.
--
Regards
Vladislav Kurz
Reply to: