WTF? several anon_inode and /dev/null listings with lsof search

Nils Kassube kassube at gmx.net
Tue Aug 7 10:58:48 UTC 2012


Colin Law wrote:
> On 6 August 2012 22:12,  <rabidblogger at safe-mail.net> wrote:
> > $ lsof | grep anon_inode
> > anon_inode
> > 
> > $ lsof | grep dev/null
> > /dev/null
> > 
> > I find several anon_inodes and over a dozen /dev/null listings, in
> > some listings for each there are several processes which are
> > repeated. I'm expecting this to be a rootkit, but none of the
> > rootkit scanners find anything. Why are these two listings
> > appearing for various processes? I'm not running any virtual
> > machines, emulation, shares, printers, servers, etc. but these
> > listings continue to appear, it doesn't matter what Linux distro I
> > use, these continue to show, even when disconnected from the
> > internet.
> > 
> > What are they?
> > Why are they appearing?
> > How can I stop these from running? (if they're bad)
> 
> FWIW I also see loads of references when I run those commands.  Does
> the fact that there has been a great debate about the pros and cons
> of various text and image bins mean that others do not, or have they
> not tried?  I am running Quantal.

On this Lucid machine there are only a few references to /dev/null but 
on a Precise machine there are several for both /dev/null and 
anon_inode. However none of those entries look suspicious to me in any 
way. I wonder why the OP tried the commands and why these commands might 
indicate something nefarious.


Nils




More information about the ubuntu-users mailing list