On Monday 01 of June 2009, Johann Spies wrote:
> I am a bit worried that my computer have been compromised.
> Rkhunter reported:
> [10:35:47] Warning: Suspicious file types found in /dev:
> [10:35:47] /dev/shm/r: ASCII text
> [10:35:48] Checking for hidden files and directories [ Warning
> [10:35:48] Warning: Hidden directory found: /etc/.java
> [10:35:48] Warning: Hidden directory found: /dev/.udev
> [10:35:48] Warning: Hidden directory found: /dev/.initramfs
> I think the last three lines are not problematic but in /dev/shm/r I found:
> spawn /bin/bash
> Do I have reason to be worried?
Well, this really looks suspicious. Look for unexpected processes running,
open ports, etc. Directory /dev/shm/ is world-writable like /tmp, so chances
are that the attacker did not gain root yet. But he might have shell
listening on some port and trying hard to get root using some local exploit.