Rkhunter gives warnings about large shared memory segments and a few strange files
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Rkhunter gives warnings about large shared memory segments and a few strange files
I have been having huge problems with a rootkit virus (or something like that) which was apparently installed on my laptop's BIOS. During the past year I reinstalled Linux Mint multiple times from scratch onto a clean disk (at least 10 times) and the virus would always resurface and start slowing down my system, creating rogue internet connections and even deleting all my passwords from Chrome (as well as from passwords.google.com, even though I never told Chrome to delete all passwords). It was definitely some kind of a virus or rootkit. For instance, Rkhunter gave a warning about a possible rootkit virus in Chrome on my previous Linuxmint installation ("Warning: Network TCP port 32982 is being used by /opt/google/chrome/chrome. Possible rootkit: Solaris Wanuk"). After that, I managed to update my laptop's BIOS, I deleted the old infected Linuxmint installation, and now I am testing a new Linuxmint installation after that BIOS update. This installation feels much faster, which is encouraging, but Rkhunter still reports some warnings. I would like to know if these warnings are false positives or if I should still be concerned.
So I have just installed Linux Mint (Mate) 19.1 on a freshly erased SSD disk (erased from Parted Magic USB with their "00" erasing tool). When I booted into this newly installed Linuxmint, the first thing that I did was to install Rkhunter, update it and run a scan with it. So please keep in mind these are the results from a brand new installation, virtually no other programs were installed except Chrome and Rkhunter. I got a few warnings, here they are:
Code:
[10:54:39] Info: Starting test name 'ipc_shared_mem'
[10:54:39] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1,0MB)
[10:54:40] Checking for suspicious (large) shared memory segments [ Warning ]
[10:54:40] Warning: The following suspicious (large) shared memory segments have been found:
[10:54:41] Process: /usr/bin/caja PID: 1465 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/caja PID: 1465 Owner: bluelight Size: 64MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/nm-connection-editor PID: 1786 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1 PID: 1489 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/caja PID: 1869 Owner: root Size: 16MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/xed PID: 5584 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/lib/thunderbird/thunderbird PID: 5977 Owner: bluelight Size: 3,8MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/lib/thunderbird/thunderbird PID: 5977 Owner: bluelight Size: 3,8MB (configured size allowed: 1,0MB)
[10:55:00] Info: Starting test name 'filesystem'
[10:55:00] Performing filesystem checks
[10:55:00] Info: SCAN_MODE_DEV set to 'THOROUGH'
[10:55:05] Checking /dev for suspicious file types [ Warning ]
[10:55:05] Warning: Suspicious file types found in /dev:
[10:55:05] /dev/shm/mono.2143: data
[10:55:06] Checking for hidden files and directories [ Warning ]
[10:55:06] Warning: Hidden directory found: /etc/.java
[10:55:06] Checking for missing log files [ Skipped ]
[10:55:06] Info: No missing log file names configured.
[10:55:06] Checking for empty log files [ Skipped ]
[10:55:06] Info: No empty log file names configured.
Do you think I should be concerned about these warnings, especially because of this strange file /dev/shm/mono.2143? I tried to view it as a text file, but it just displays some weird characters and Xed (the text viewer) complains that it has encountered "some invalid characters", so it didn't really help that I tried to view it in text format, it's not obvious what it is used for.
Btw. caja is a portable software provided by my VPN, Airvpn.org. So despite its unusual name, it's a safe application. However, I don't know if Rkhunter's warning about its "shared memory segments" should be a cause for concern.
Large memory segments show up all the time and can be whitelisted in /etc/rkhunter.conf if you know what they are/where they come from.
As to /dev/shm/mono.2143 do you have either Silverlight or Tomboy installed?
As far as I know, I don't have Silverlight. "Tomboy Notes" is always installed with Linuxmint Mate, as far as I know. Did you mean Tomboy Notes or just Tomboy?
I only installed Linux Mint Mate, and the first time when I logged into it I installed Chrome (downloaded it from Google's official site and installed it with GDebi package installer). Then I installed Rkhunter and ran the first scan with it. Those above are the results from that scan that had the prefix "Warning". The "mono" file always appears in the Rkhunter's scan results on this installation.
I can see that the file "mono.2143" constantly sits there in /dev/shm/ and seemingly does nothing. It has a little padlock above its icon and a little X mark below its icon. I see sometimes Firefox's (and some other apps') files appearing in that folder only for a few seconds, then they disappear. But that little "mono" file seems to stay there always. It was obviously installed along with Linux Mint.
As I said in the first message, I recently updated my BIOS (first I had to install Windows because my laptop model Lenovo doesn't offer any other way of updating BIOS except through their special Windows application). That procedure seemed to have gone well, and this new installation of Linux Mint is much faster than the previous ones, but I still don't have a feeling that the virus is totally gone. Could it still be somewhere in the SSD hard disk, even though I erased it with Parted Magic Erase tool? Or perhaps it can survive a BIOS update and just replicate itself somehow into the new BIOS?
Large memory segments show up all the time and can be whitelisted in /etc/rkhunter.conf if you know what they are/where they come from.
As to /dev/shm/mono.2143 do you have either Silverlight or Tomboy installed?
Or indeed any program that uses the mono runtime. However it's difficult to tell sometimes. For example, the Bless hex editor uses the mono runtime and creates a mono.nnn file in /dev/shm. It will normally close this file once the program is terminated.
Generally, any rkhunter warnings about mono.nnn files in /dev/shm can be safely ignored as false positives.
So, can we conclude that the "mono.2143" file was probably created by Tomboy Notes?
I see that when I start Tomboy Notes and use it a little, I will see one more file appear in /dev/shm/ such as "mono.29107". However, that file is not locked like "mono.2143", and it always disappears once Tomboy Notes is closed. I must say, as much as I'd like to believe it's because of Tomboy Notes, the mono file still looks suspicious.
Large memory segments show up all the time and can be whitelisted in /etc/rkhunter.conf if you know what they are/where they come from.
As to /dev/shm/mono.2143 do you have either Silverlight or Tomboy installed?
Earlier self whitelisted some Warnings, soon these faded from my faulty human memory, needed re-read older notes after upgrades.
Third re-read all again, decided change my approach, so leave Warnings there, easier to remember they not great concerns, with time to concentrate upon newer Warnings which may appear.
I have been having huge problems with a rootkit virus (or something like that) which was apparently installed on my laptop's BIOS. During the past year I reinstalled Linux Mint multiple times from scratch onto a clean disk (at least 10 times) and the virus would always resurface and start slowing down my system, creating rogue internet connections and even deleting all my passwords from Chrome (as well as from passwords.google.com, even though I never told Chrome to delete all passwords). It was definitely some kind of a virus or rootkit. For instance, Rkhunter gave a warning about a possible rootkit virus in Chrome on my previous Linuxmint installation ("Warning: Network TCP port 32982 is being used by /opt/google/chrome/chrome. Possible rootkit: Solaris Wanuk"). After that, I managed to update my laptop's BIOS, I deleted the old infected Linuxmint installation, and now I am testing a new Linuxmint installation after that BIOS update. This installation feels much faster, which is encouraging, but Rkhunter still reports some warnings. I would like to know if these warnings are false positives or if I should still be concerned.
So I have just installed Linux Mint (Mate) 19.1 on a freshly erased SSD disk (erased from Parted Magic USB with their "00" erasing tool). When I booted into this newly installed Linuxmint, the first thing that I did was to install Rkhunter, update it and run a scan with it. So please keep in mind these are the results from a brand new installation, virtually no other programs were installed except Chrome and Rkhunter. I got a few warnings, here they are:
Code:
[10:54:39] Info: Starting test name 'ipc_shared_mem'
[10:54:39] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1,0MB)
[10:54:40] Checking for suspicious (large) shared memory segments [ Warning ]
[10:54:40] Warning: The following suspicious (large) shared memory segments have been found:
[10:54:41] Process: /usr/bin/caja PID: 1465 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/caja PID: 1465 Owner: bluelight Size: 64MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/nm-connection-editor PID: 1786 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1 PID: 1489 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/caja PID: 1869 Owner: root Size: 16MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/bin/xed PID: 5584 Owner: bluelight Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/lib/thunderbird/thunderbird PID: 5977 Owner: bluelight Size: 3,8MB (configured size allowed: 1,0MB)
[10:54:41] Process: /usr/lib/thunderbird/thunderbird PID: 5977 Owner: bluelight Size: 3,8MB (configured size allowed: 1,0MB)
[10:55:00] Info: Starting test name 'filesystem'
[10:55:00] Performing filesystem checks
[10:55:00] Info: SCAN_MODE_DEV set to 'THOROUGH'
[10:55:05] Checking /dev for suspicious file types [ Warning ]
[10:55:05] Warning: Suspicious file types found in /dev:
[10:55:05] /dev/shm/mono.2143: data
[10:55:06] Checking for hidden files and directories [ Warning ]
[10:55:06] Warning: Hidden directory found: /etc/.java
[10:55:06] Checking for missing log files [ Skipped ]
[10:55:06] Info: No missing log file names configured.
[10:55:06] Checking for empty log files [ Skipped ]
[10:55:06] Info: No empty log file names configured.
Do you think I should be concerned about these warnings, especially because of this strange file /dev/shm/mono.2143? I tried to view it as a text file, but it just displays some weird characters and Xed (the text viewer) complains that it has encountered "some invalid characters", so it didn't really help that I tried to view it in text format, it's not obvious what it is used for.
Btw. caja is a portable software provided by my VPN, Airvpn.org. So despite its unusual name, it's a safe application. However, I don't know if Rkhunter's warning about its "shared memory segments" should be a cause for concern.
I see that when I start Tomboy Notes and use it a little, I will see one more file appear in /dev/shm/ such as "mono.29107". However, that file is not locked like "mono.2143", and it always disappears once Tomboy Notes is closed. I must say, as much as I'd like to believe it's because of Tomboy Notes, the mono file still looks suspicious.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.