Rkhunter finds "suspicious" files in /dev

Ovalteen · 03-21-2005, 06:37 AM

Hello all,

I've just run rkhunter and it came up with the following message:

Code:

* Filesystem checks
   Checking /dev for suspicious files...                      [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/pst0:        ASCII text
/dev/pts0:        ASCII text
---------------------------------------------

I had this message come up previously but I thought it may have been a false positive, so I let it slide. Is it anything to be concerned about? All other tests are OK.

Cheers

Ovalteen

Ovalteen · 03-21-2005, 07:55 PM

OK, I chipped away at it a bit more.

I was under the impression that pts was some kind of terminal or something. Is this the case? I wasn't sure what I should do with it but eventually just opened it in VI. I should have done that earlier, but I didn't think it would work, as it doesn't for other items in that folder.

The files (both pts0 and pst0) both had some "Hello" type of message in them (just 2 or 3 words). I was pretty sure I didn't put this there myself, so I greped the bash history for each user, but I didn't find any matches. Is it possible though, that maybe the command wasn't recorded because more than one session of that user was open at once?

Anyway, I deleted the text, ran rkhunter again and it's all fine. I figure it was probably just me being a stupid

or testing out something, as none of my logs seem to indicate trouble. I can't imagine someone hacked in just to write "Hello".

Cheers

Ovalteen

ilikejam · 03-22-2005, 04:50 AM

Hi.

It's probably a script trying to redirect some output to a virtual terminal which wasn't open, so a new file was made with the contents of the message.

Dave

Ovalteen · 03-22-2005, 06:28 AM

Thanks for the tip Dave. I'll have a look and see what I may have run.

Cheers

Ovalteen