Re: /dev/shm/r?

To: Johann Spies <jspies@sun.ac.za>, debian-security@lists.debian.org
Subject: Re: /dev/shm/r?
From: Vladislav Kurz <vladislav.kurz@webstep.net>
Date: Mon, 1 Jun 2009 12:26:49 +0200
Message-id: <[🔎] 200906011226.49721.vladislav.kurz@webstep.net>
In-reply-to: <[🔎] 20090601084652.GA22462@sun.ac.za>
References: <[🔎] 20090601084652.GA22462@sun.ac.za>

On Monday 01 of June 2009, Johann Spies wrote:
> I am a bit worried that my computer have been compromised.
>
> Rkhunter reported:
>
> [10:35:47] Warning: Suspicious file types found in /dev:
> [10:35:47]          /dev/shm/r: ASCII text
> [10:35:48]   Checking for hidden files and directories       [ Warning
> ]
> [10:35:48] Warning: Hidden directory found: /etc/.java
> [10:35:48] Warning: Hidden directory found: /dev/.udev
> [10:35:48] Warning: Hidden directory found: /dev/.initramfs
>
> I think the last three lines are not problematic but in /dev/shm/r I found:
>
> spawn /bin/bash
> interact
>
> Do I have reason to be worried?

Well, this really looks suspicious. Look for unexpected processes running, 
open ports, etc. Directory /dev/shm/ is world-writable like /tmp, so chances 
are that the attacker did not gain root yet. But he might have shell 
listening on some port and trying hard to get root using some local exploit.

-- 
Regards
        Vladislav Kurz

Reply to:

Follow-Ups:
- Re: /dev/shm/r?
  - From: Marcin Owsiany <porridge@debian.org>
- Re: /dev/shm/r?
  - From: Izak Burger <isburger@gmail.com>

References:
- /dev/shm/r?
  - From: Johann Spies <jspies@sun.ac.za>

Prev by Date: /dev/shm/r?
Next by Date: Re: /dev/shm/r?
Previous by thread: /dev/shm/r?
Next by thread: Re: /dev/shm/r?
Index(es):
- Date
- Thread