WTF? several anon_inode and /dev/null listings with lsof search

Colin Law clanlaw at googlemail.com
Tue Aug 7 10:18:16 UTC 2012 

On 6 August 2012 22:12,  <rabidblogger at safe-mail.net> wrote:
> $ lsof | grep anon_inode
> anon_inode
>
> $ lsof | grep dev/null
> /dev/null
>
> I find several anon_inodes and over a dozen /dev/null listings, in some listings for each there are several processes which are repeated. I'm expecting this to be a rootkit, but none of the rootkit scanners find anything. Why are these two listings appearing for various processes? I'm not running any virtual machines, emulation, shares, printers, servers, etc. but these listings continue to appear, it doesn't matter what Linux distro I use, these continue to show, even when disconnected from the internet.
>
> What are they?
> Why are they appearing?
> How can I stop these from running? (if they're bad)

FWIW I also see loads of references when I run those commands.  Does
the fact that there has been a great debate about the pros and cons of
various text and image bins mean that others do not, or have they not
tried?  I am running Quantal.

I would have thought a few sample lines rather than pasting it would
have been enough anyway.

oneconf-s 5646          colinl    0u      CHR        1,3      0t0
 19 /dev/null
oneconf-s 5646          colinl    1u      CHR        1,3      0t0
 19 /dev/null
oneconf-s 5646          colinl    2u      CHR        1,3      0t0
 19 /dev/null
oneconf-s 5646          colinl    6u      CHR        1,3      0t0
 19 /dev/null
dconf     5646 5647     colinl    0u      CHR        1,3      0t0
 19 /dev/null
dconf     5646 5647     colinl    1u      CHR        1,3      0t0
 19 /dev/null
dconf     5646 5647     colinl    2u      CHR        1,3      0t0
 19 /dev/null
dconf     5646 5647     colinl    6u      CHR        1,3      0t0
 19 /dev/null
gdbus     5646 5650     colinl    0u      CHR        1,3      0t0
 19 /dev/null
gdbus     5646 5650     colinl    1u      CHR        1,3      0t0
 19 /dev/null
gdbus     5646 5650     colinl    2u      CHR        1,3      0t0
 19 /dev/null
gdbus     5646 5650     colinl    6u      CHR        1,3      0t0
 19 /dev/null

oneconf-s 5646          colinl    3u     0000        0,9        0
7871 anon_inode
oneconf-s 5646          colinl    8u     0000        0,9        0
7871 anon_inode
oneconf-s 5646          colinl   11u     0000        0,9        0
7871 anon_inode
oneconf-s 5646          colinl   15u     0000        0,9        0
7871 anon_inode
dconf     5646 5647     colinl    3u     0000        0,9        0
7871 anon_inode
dconf     5646 5647     colinl    8u     0000        0,9        0
7871 anon_inode
dconf     5646 5647     colinl   11u     0000        0,9        0
7871 anon_inode
dconf     5646 5647     colinl   15u     0000        0,9        0
7871 anon_inode
gdbus     5646 5650     colinl    3u     0000        0,9        0
7871 anon_inode
gdbus     5646 5650     colinl    8u     0000        0,9        0
7871 anon_inode
gdbus     5646 5650     colinl   11u     0000        0,9        0
7871 anon_inode
gdbus     5646 5650     colinl   15u     0000        0,9        0
7871 anon_inode

Colin

More information about the ubuntu-users mailing list