Re: SHMEM question

[Randy Dunlap]

On Mon, 26 Oct 2009 11:59:04 -0400 Gene Heskett wrote:

> Greetings;
> 
> fedora F10 system, quad core phenom, 4GB ram, ASUS M2N-SLI Deluxe mobo
> kernel-2.6.32-rc5, uptime 2d 11:27 at the moment, and the system feels good.
> 
> rkhunter sent me an email this morning complaining about a data file in 
> /dev/shm.
> 
> On looking at it:
> [root@coyote Download]# ls -l /dev/shm
> total 28
> -rw-r----- 1 root root     4096 2009-10-25 12:09 mono.10594
> -r-------- 1 root root 67108904 2009-10-24 00:28 pulse-shm-3880918577
> -rw-rw-rw- 1 root root       16 2009-10-24 01:17 sem.ADBE_ReadPrefs_root
> -rw-rw-rw- 1 root root       16 2009-10-24 01:17 sem.ADBE_REL_root
> -rw-rw-rw- 1 root root       16 2009-10-24 01:17 sem.ADBE_WritePrefs_root
> 
> On grepping for SHM in the .config, I find SHMEM set to y, but about an hours 
> worth of wandering around in a 'make xconfig' has failed to actually find it.

In xconfig, you can use /f to search for kconfig symbols.

SHMEM is under the General Setup menu (on x86), then under the
Configure standard kernel features (for small systems)
menu (i.e., EMBEDDED, so only shows up when EMBEDDED is enabled).


> That pulse-shm-3880918577 file at over 67 megabytes is all $00 till $04000000 
> into it, then there is 6 non-zero bytes and the rest is back to all balls.
> 
> Is this some indicator of a new rootkit or WTF?
> 
> It was the mono.10594 file that rkhunter-1.3.4 was concerned about.  I, since 
> I can't make a mental connection between SHMEM and /dev/shm, am concerned 
> about that whole tree of data which seems totally out of place in the /dev 
> tree.
> 
> I hate to be a pest but Many Thanks for any enlightenment on this.

Sorry, no idea about that.

---
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/