LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-05-2019, 05:09 AM   #1
Seniark
LQ Newbie
 
Registered: Mar 2019
Posts: 18

Rep: Reputation: Disabled
Rkhunter gives warnings about large shared memory segments and a few strange files


I have been having huge problems with a rootkit virus (or something like that) which was apparently installed on my laptop's BIOS. During the past year I reinstalled Linux Mint multiple times from scratch onto a clean disk (at least 10 times) and the virus would always resurface and start slowing down my system, creating rogue internet connections and even deleting all my passwords from Chrome (as well as from passwords.google.com, even though I never told Chrome to delete all passwords). It was definitely some kind of a virus or rootkit. For instance, Rkhunter gave a warning about a possible rootkit virus in Chrome on my previous Linuxmint installation ("Warning: Network TCP port 32982 is being used by /opt/google/chrome/chrome. Possible rootkit: Solaris Wanuk"). After that, I managed to update my laptop's BIOS, I deleted the old infected Linuxmint installation, and now I am testing a new Linuxmint installation after that BIOS update. This installation feels much faster, which is encouraging, but Rkhunter still reports some warnings. I would like to know if these warnings are false positives or if I should still be concerned.

So I have just installed Linux Mint (Mate) 19.1 on a freshly erased SSD disk (erased from Parted Magic USB with their "00" erasing tool). When I booted into this newly installed Linuxmint, the first thing that I did was to install Rkhunter, update it and run a scan with it. So please keep in mind these are the results from a brand new installation, virtually no other programs were installed except Chrome and Rkhunter. I got a few warnings, here they are:

Code:
[10:54:39] Info: Starting test name 'ipc_shared_mem'
[10:54:39] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1,0MB)
[10:54:40]   Checking for suspicious (large) shared memory segments [ Warning ]
[10:54:40] Warning: The following suspicious (large) shared memory segments have been found:
[10:54:41]          Process: /usr/bin/caja    PID: 1465    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/caja    PID: 1465    Owner: bluelight    Size: 64MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/nm-connection-editor    PID: 1786    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1    PID: 1489    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/caja    PID: 1869    Owner: root    Size: 16MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/xed    PID: 5584    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/lib/thunderbird/thunderbird    PID: 5977    Owner: bluelight    Size: 3,8MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/lib/thunderbird/thunderbird    PID: 5977    Owner: bluelight    Size: 3,8MB (configured size allowed: 1,0MB)

[10:55:00] Info: Starting test name 'filesystem'
[10:55:00] Performing filesystem checks
[10:55:00] Info: SCAN_MODE_DEV set to 'THOROUGH'
[10:55:05]   Checking /dev for suspicious file types         [ Warning ]
[10:55:05] Warning: Suspicious file types found in /dev:
[10:55:05]          /dev/shm/mono.2143: data
[10:55:06]   Checking for hidden files and directories       [ Warning ]
[10:55:06] Warning: Hidden directory found: /etc/.java
[10:55:06]   Checking for missing log files                  [ Skipped ]
[10:55:06] Info: No missing log file names configured.
[10:55:06]   Checking for empty log files                    [ Skipped ]
[10:55:06] Info: No empty log file names configured.

Do you think I should be concerned about these warnings, especially because of this strange file /dev/shm/mono.2143? I tried to view it as a text file, but it just displays some weird characters and Xed (the text viewer) complains that it has encountered "some invalid characters", so it didn't really help that I tried to view it in text format, it's not obvious what it is used for.

Btw. caja is a portable software provided by my VPN, Airvpn.org. So despite its unusual name, it's a safe application. However, I don't know if Rkhunter's warning about its "shared memory segments" should be a cause for concern.
 
Old 03-05-2019, 10:37 AM   #2
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Rep: Reputation: Disabled
Large memory segments show up all the time and can be whitelisted in /etc/rkhunter.conf if you know what they are/where they come from.

As to /dev/shm/mono.2143 do you have either Silverlight or Tomboy installed?
 
Old 03-05-2019, 12:43 PM   #3
Seniark
LQ Newbie
 
Registered: Mar 2019
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by RickDeckard View Post
Large memory segments show up all the time and can be whitelisted in /etc/rkhunter.conf if you know what they are/where they come from.

As to /dev/shm/mono.2143 do you have either Silverlight or Tomboy installed?

As far as I know, I don't have Silverlight. "Tomboy Notes" is always installed with Linuxmint Mate, as far as I know. Did you mean Tomboy Notes or just Tomboy?

I only installed Linux Mint Mate, and the first time when I logged into it I installed Chrome (downloaded it from Google's official site and installed it with GDebi package installer). Then I installed Rkhunter and ran the first scan with it. Those above are the results from that scan that had the prefix "Warning". The "mono" file always appears in the Rkhunter's scan results on this installation.

I can see that the file "mono.2143" constantly sits there in /dev/shm/ and seemingly does nothing. It has a little padlock above its icon and a little X mark below its icon. I see sometimes Firefox's (and some other apps') files appearing in that folder only for a few seconds, then they disappear. But that little "mono" file seems to stay there always. It was obviously installed along with Linux Mint.

As I said in the first message, I recently updated my BIOS (first I had to install Windows because my laptop model Lenovo doesn't offer any other way of updating BIOS except through their special Windows application). That procedure seemed to have gone well, and this new installation of Linux Mint is much faster than the previous ones, but I still don't have a feeling that the virus is totally gone. Could it still be somewhere in the SSD hard disk, even though I erased it with Parted Magic Erase tool? Or perhaps it can survive a BIOS update and just replicate itself somehow into the new BIOS?

Last edited by Seniark; 03-05-2019 at 12:46 PM.
 
Old 03-05-2019, 01:29 PM   #4
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 8,016
Blog Entries: 5

Rep: Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862Reputation: 2862
Quote:
Originally Posted by RickDeckard View Post
Large memory segments show up all the time and can be whitelisted in /etc/rkhunter.conf if you know what they are/where they come from.

As to /dev/shm/mono.2143 do you have either Silverlight or Tomboy installed?
Or indeed any program that uses the mono runtime. However it's difficult to tell sometimes. For example, the Bless hex editor uses the mono runtime and creates a mono.nnn file in /dev/shm. It will normally close this file once the program is terminated.

Generally, any rkhunter warnings about mono.nnn files in /dev/shm can be safely ignored as false positives.
 
Old 03-05-2019, 03:51 PM   #5
Seniark
LQ Newbie
 
Registered: Mar 2019
Posts: 18

Original Poster
Rep: Reputation: Disabled
So, can we conclude that the "mono.2143" file was probably created by Tomboy Notes?

I see that when I start Tomboy Notes and use it a little, I will see one more file appear in /dev/shm/ such as "mono.29107". However, that file is not locked like "mono.2143", and it always disappears once Tomboy Notes is closed. I must say, as much as I'd like to believe it's because of Tomboy Notes, the mono file still looks suspicious.
 
Old 07-19-2019, 09:40 PM   #6
polpak
Member
 
Registered: Jan 2011
Location: Planet Earth, Australia, NSW
Distribution: GNOME openSUSE Leap/Ubuntu18.04
Posts: 148

Rep: Reputation: 17
Quote:
Originally Posted by RickDeckard View Post
Large memory segments show up all the time and can be whitelisted in /etc/rkhunter.conf if you know what they are/where they come from.

As to /dev/shm/mono.2143 do you have either Silverlight or Tomboy installed?


Earlier self whitelisted some Warnings, soon these faded from my faulty human memory, needed re-read older notes after upgrades.


Third re-read all again, decided change my approach, so leave Warnings there, easier to remember they not great concerns, with time to concentrate upon newer Warnings which may appear.
 
Old 07-29-2019, 07:02 AM   #7
StormFiber
 
Registered: Dec 2018
Posts: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by Seniark View Post
I have been having huge problems with a rootkit virus (or something like that) which was apparently installed on my laptop's BIOS. During the past year I reinstalled Linux Mint multiple times from scratch onto a clean disk (at least 10 times) and the virus would always resurface and start slowing down my system, creating rogue internet connections and even deleting all my passwords from Chrome (as well as from passwords.google.com, even though I never told Chrome to delete all passwords). It was definitely some kind of a virus or rootkit. For instance, Rkhunter gave a warning about a possible rootkit virus in Chrome on my previous Linuxmint installation ("Warning: Network TCP port 32982 is being used by /opt/google/chrome/chrome. Possible rootkit: Solaris Wanuk"). After that, I managed to update my laptop's BIOS, I deleted the old infected Linuxmint installation, and now I am testing a new Linuxmint installation after that BIOS update. This installation feels much faster, which is encouraging, but Rkhunter still reports some warnings. I would like to know if these warnings are false positives or if I should still be concerned.

So I have just installed Linux Mint (Mate) 19.1 on a freshly erased SSD disk (erased from Parted Magic USB with their "00" erasing tool). When I booted into this newly installed Linuxmint, the first thing that I did was to install Rkhunter, update it and run a scan with it. So please keep in mind these are the results from a brand new installation, virtually no other programs were installed except Chrome and Rkhunter. I got a few warnings, here they are:

Code:
[10:54:39] Info: Starting test name 'ipc_shared_mem'
[10:54:39] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1,0MB)
[10:54:40]   Checking for suspicious (large) shared memory segments [ Warning ]
[10:54:40] Warning: The following suspicious (large) shared memory segments have been found:
[10:54:41]          Process: /usr/bin/caja    PID: 1465    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/caja    PID: 1465    Owner: bluelight    Size: 64MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/nm-connection-editor    PID: 1786    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1    PID: 1489    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/caja    PID: 1869    Owner: root    Size: 16MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/bin/xed    PID: 5584    Owner: bluelight    Size: 4,0MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/lib/thunderbird/thunderbird    PID: 5977    Owner: bluelight    Size: 3,8MB (configured size allowed: 1,0MB)
[10:54:41]          Process: /usr/lib/thunderbird/thunderbird    PID: 5977    Owner: bluelight    Size: 3,8MB (configured size allowed: 1,0MB)

[10:55:00] Info: Starting test name 'filesystem'
[10:55:00] Performing filesystem checks
[10:55:00] Info: SCAN_MODE_DEV set to 'THOROUGH'
[10:55:05]   Checking /dev for suspicious file types         [ Warning ]
[10:55:05] Warning: Suspicious file types found in /dev:
[10:55:05]          /dev/shm/mono.2143: data
[10:55:06]   Checking for hidden files and directories       [ Warning ]
[10:55:06] Warning: Hidden directory found: /etc/.java
[10:55:06]   Checking for missing log files                  [ Skipped ]
[10:55:06] Info: No missing log file names configured.
[10:55:06]   Checking for empty log files                    [ Skipped ]
[10:55:06] Info: No empty log file names configured.

Do you think I should be concerned about these warnings, especially because of this strange file /dev/shm/mono.2143? I tried to view it as a text file, but it just displays some weird characters and Xed (the text viewer) complains that it has encountered "some invalid characters", so it didn't really help that I tried to view it in text format, it's not obvious what it is used for.

Btw. caja is a portable software provided by my VPN, Airvpn.org. So despite its unusual name, it's a safe application. However, I don't know if Rkhunter's warning about its "shared memory segments" should be a cause for concern.
I see that when I start Tomboy Notes and use it a little, I will see one more file appear in /dev/shm/ such as "mono.29107". However, that file is not locked like "mono.2143", and it always disappears once Tomboy Notes is closed. I must say, as much as I'd like to believe it's because of Tomboy Notes, the mono file still looks suspicious.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Shared memory segments - Linux vs. Unix Neven1986 Linux - Server 2 12-09-2013 04:50 PM
rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included Mollusc Linux - Security 10 09-29-2011 08:43 AM
Does /dev/shm reduce memory available for non-shared memory segments? mightyscotchpine Linux - Server 1 09-22-2009 06:58 PM
gencore() does not dump core of shared memory segments anubhuti_k AIX 0 01-15-2007 08:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration