lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20091026100042.07ac281e.randy.dunlap@oracle.com>
Date:	Mon, 26 Oct 2009 10:00:42 -0700
From:	Randy Dunlap <randy.dunlap@...cle.com>
To:	Gene Heskett <gene.heskett@...izon.net>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: SHMEM question

On Mon, 26 Oct 2009 11:59:04 -0400 Gene Heskett wrote:

> Greetings;
> 
> fedora F10 system, quad core phenom, 4GB ram, ASUS M2N-SLI Deluxe mobo
> kernel-2.6.32-rc5, uptime 2d 11:27 at the moment, and the system feels good.
> 
> rkhunter sent me an email this morning complaining about a data file in 
> /dev/shm.
> 
> On looking at it:
> [root@...ote Download]# ls -l /dev/shm
> total 28
> -rw-r----- 1 root root     4096 2009-10-25 12:09 mono.10594
> -r-------- 1 root root 67108904 2009-10-24 00:28 pulse-shm-3880918577
> -rw-rw-rw- 1 root root       16 2009-10-24 01:17 sem.ADBE_ReadPrefs_root
> -rw-rw-rw- 1 root root       16 2009-10-24 01:17 sem.ADBE_REL_root
> -rw-rw-rw- 1 root root       16 2009-10-24 01:17 sem.ADBE_WritePrefs_root
> 
> On grepping for SHM in the .config, I find SHMEM set to y, but about an hours 
> worth of wandering around in a 'make xconfig' has failed to actually find it.

In xconfig, you can use /f to search for kconfig symbols.

SHMEM is under the General Setup menu (on x86), then under the
Configure standard kernel features (for small systems)
menu (i.e., EMBEDDED, so only shows up when EMBEDDED is enabled).


> That pulse-shm-3880918577 file at over 67 megabytes is all $00 till $04000000 
> into it, then there is 6 non-zero bytes and the rest is back to all balls.
> 
> Is this some indicator of a new rootkit or WTF?
> 
> It was the mono.10594 file that rkhunter-1.3.4 was concerned about.  I, since 
> I can't make a mental connection between SHMEM and /dev/shm, am concerned 
> about that whole tree of data which seems totally out of place in the /dev 
> tree.
> 
> I hate to be a pest but Many Thanks for any enlightenment on this.

Sorry, no idea about that.

---
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ