[arch-general] WTF? several anon_inode and /dev/null listings with lsof search
Jeremiah Dodds
jeremiah.dodds at gmail.com
Tue Aug 7 02:16:53 EDT 2012
rabidblogger at Safe-mail.net writes:
> $ lsof | grep anon_inode
> anon_inode
>
> $ lsof | grep dev/null
> /dev/null
>
> I find several anon_inodes and over a dozen /dev/null listings, in some listings
> for each there are several processes which are repeated. I'm expecting this to
> be a rootkit, but none of the rootkit scanners find anything. Why are these two
> listings appearing for various processes? I'm not running any virtual machines,
> emulation, shares, printers, servers, etc. but these listings continue to
> appear, it doesn't matter what Linux distro I use, these continue to show, even
> when disconnected from the internet.
>
> What are they?
> Why are they appearing?
> How can I stop these from running? (if they're bad)
>
> I've searched the web and cannot find anything which explains these to my satisfaction.
I doubt that these are harmful or a sign of a rootkit. They are, if my
understanding is correct, probably file-like objects using
file-descriptors that don't actually exist on disk. "In-memory files"
and sockets come to mind as two things that could make use of them
legitimately.
If it makes you feel any better about it, here's a relevant part of
the kernel source tree:
https://github.com/torvalds/linux/blob/master/fs/anon_inodes.c
--
Jeremiah Dodds
github : https://github.com/jdodds
freenode : exhortatory
More information about the arch-general
mailing list