2

rkhunter is giving warning on /dev/shm/mono.*. I couldn't find anywhere in the web reference to this file related to rkhunter warnings.

[12:38:29]   Checking /dev for suspicious file types         [ Warning ]
[12:38:29] Warning: Suspicious file types found in /dev:
[12:38:29]          /dev/shm/mono.1254: data

Is this a false positive?

Output of df -h

Filesystem                                 Size  Used Avail Use% Mounted on
udev                                       7.8G     0  7.8G   0% /dev
tmpfs                                      1.6G  2.1M  1.6G   1% /run
/dev/sdb2                                  916G  357G  513G  41% /
tmpfs                                      7.8G  121M  7.7G   2% /dev/shm
tmpfs                                      5.0M  4.0K  5.0M   1% /run/lock
tmpfs                                      7.8G     0  7.8G   0% /sys/fs/cgroup
/dev/sdb1                                  511M  4.5M  507M   1% /boot/efi
/dev/sda1                                  1.8T   87G  1.7T   5% /mnt/HDD_Toshiba
tmpfs                                      1.6G     0  1.6G   0% /run/user/0
SynologyNas.local:/volumeUSB2/usbshare2-1  2.3T  1.6T  683G  71% /mnt/synologyDrive
tmpfs                                      1.6G   20K  1.6G   1% /run/user/121
tmpfs                                      1.6G   48K  1.6G   1% /run/user/1000
João Pimentel Ferreira
  • 750
  • 1
  • 6
  • 16
  • Please edit your question and post the output of `sudo file -s /dev/shm/mono.1254` and `sudo ls -la /dev/shm/mono.1254`. To me this file looks extremely suspicious. In my +20 years of using Linux I've never seen such files under `/dev`. – Artem S. Tashkinov Nov 15 '21 at 12:31
  • Thanks a lot @ArtemS.Tashkinov for the comment, but now you got me thinking. I actually had already deleted that file as I though it was related with [mono](https://www.mono-project.com/download/stable/) from Microsoft. Since I didn't need it, I removed those files and uninstalled Mono. What do you think? – João Pimentel Ferreira Nov 15 '21 at 13:00
  • If you had mono deamons running under `root`, I can imagine that. Otherwise that sounds extremely suspicious. Anyways, it's weird you've asked a question and before long you make sure no one can help you with it. – Artem S. Tashkinov Nov 15 '21 at 13:02
  • @ArtemS.Tashkinov I wanted to cleanse the system ASAP, and thus I didn't wait for reply, I am bit anxious `:)` with this root kit issues. Anyway, if that file pops up again I will print here its content. Thanks a lot – João Pimentel Ferreira Nov 15 '21 at 13:06
  • If there's indeed malware on your system deleting a single file could be useless. – Artem S. Tashkinov Nov 15 '21 at 13:07
  • Not got a clue why there is a suspicion it is malware. Why not run a `ps` and actually check what is running. `/etc/rkhunter.conf.local` or similar will tell you what `rkhunter` is ignoring in that directory and you can add to it. – Bib Nov 15 '21 at 13:11

1 Answers1

2

This file is used by XSP - Mono ASP.NET Web Server.

  1. Get process id:

    lsof | grep /dev/shm/mono.1272
mono        1272                          www-data  mem       REG               0,28       4096          2 /dev/shm/mono.1272
mono        1272   1296 SGen\x20w         www-data  mem       REG               0,28       4096          2 /dev/shm/mono.1272
mono        1272   1352 Finalizer         www-data  mem       REG               0,28       4096          2 /dev/shm/mono.1272
mono        1272   1496 mono              www-data  mem       REG               0,28       4096          2 /dev/shm/mono.1272
mono        1272   1497 Thread            www-data  mem       REG               0,28       4096          2 /dev/shm/mono.1272

    Process id in this example is 1272.

  2. Output command line of process:

    cat /proc/1272/cmdline | sed -e "s/\x00/ /g"; echo
/usr/bin/mono /usr/lib/mono/4.5/xsp4.exe --port 8084 --address 0.0.0.0 --appconfigdir /etc/xsp4 --nonstop

Click here for more information.

Greenonline
  • 1,759
  • 7
  • 16
  • 21
Raymond
  • 36
  • 2