WTF? several anon_inode and /dev/null listings with lsof search
Nils Kassube
kassube at gmx.net
Tue Aug 7 10:58:48 UTC 2012
Colin Law wrote:
> On 6 August 2012 22:12, <rabidblogger at safe-mail.net> wrote:
> > $ lsof | grep anon_inode
> > anon_inode
> >
> > $ lsof | grep dev/null
> > /dev/null
> >
> > I find several anon_inodes and over a dozen /dev/null listings, in
> > some listings for each there are several processes which are
> > repeated. I'm expecting this to be a rootkit, but none of the
> > rootkit scanners find anything. Why are these two listings
> > appearing for various processes? I'm not running any virtual
> > machines, emulation, shares, printers, servers, etc. but these
> > listings continue to appear, it doesn't matter what Linux distro I
> > use, these continue to show, even when disconnected from the
> > internet.
> >
> > What are they?
> > Why are they appearing?
> > How can I stop these from running? (if they're bad)
>
> FWIW I also see loads of references when I run those commands. Does
> the fact that there has been a great debate about the pros and cons
> of various text and image bins mean that others do not, or have they
> not tried? I am running Quantal.
On this Lucid machine there are only a few references to /dev/null but
on a Precise machine there are several for both /dev/null and
anon_inode. However none of those entries look suspicious to me in any
way. I wonder why the OP tried the commands and why these commands might
indicate something nefarious.
Nils
More information about the ubuntu-users
mailing list