rabidblogger@Safe-mail.net writes:

$ lsof | grep anon_inode anon_inode

$ lsof | grep dev/null /dev/null

I find several anon_inodes and over a dozen /dev/null listings, in some listings for each there are several processes which are repeated. I'm expecting this to be a rootkit, but none of the rootkit scanners find anything. Why are these two listings appearing for various processes? I'm not running any virtual machines, emulation, shares, printers, servers, etc. but these listings continue to appear, it doesn't matter what Linux distro I use, these continue to show, even when disconnected from the internet.

What are they? Why are they appearing? How can I stop these from running? (if they're bad)

I've searched the web and cannot find anything which explains these to my satisfaction.

I doubt that these are harmful or a sign of a rootkit. They are, if my understanding is correct, probably file-like objects using file-descriptors that don't actually exist on disk. "In-memory files" and sockets come to mind as two things that could make use of them legitimately. If it makes you feel any better about it, here's a relevant part of the kernel source tree: https://github.com/torvalds/linux/blob/master/fs/anon_inodes.c -- Jeremiah Dodds github : https://github.com/jdodds freenode : exhortatory