On Wed, 29 Jan 2014 20:17:06 -0500, William wrote:
3. Since updating to F-20, I'm seeing this warning:
[18:56:18]
[18:56:18] Checking for GasKit Rootkit...
[18:56:18] Checking for file '/dev/dev/gaskit/sshd/sshdd' [ Not found ]
[18:56:18] Checking for directory '/dev/dev' [ Found ]
[18:56:18] Checking for directory '/dev/dev/gaskit' [ Not found ]
[18:56:18] Checking for directory '/dev/dev/gaskit/sshd' [ Not found ]
[18:56:18] Warning: GasKit Rootkit [ Warning ]
[18:56:18] Directory '/dev/dev' found
[18:56:18]
The directory "/dev/dev/" contains one entry:
bash.6[dev]: ll
total 0
lrwxrwxrwx. 1 root root 10 Jan 29 13:48 resume -> ../../sda5
bash.7[dev]:
Doing "file resume" gives this:
bash.21[dev]: file resume
resume: broken symbolic link to `../../sda5'
bash.22[dev]:
I see no "sda5" in the root directory. A "df" shows no filesystem.
An
"ls -a" of the root directory shows one file I did not expect:
-rw-r--r--. 1 root root 178665 Jan 29 18:50 .readahead
It seems to be binary.
Do I have a security problem? What are "/dev/dev/resume" and
"/.readahead"?
It's a false positive.
See
https://bugzilla.redhat.com/1045116 for the /dev/dev case.
And /.readahead ist from the readahead service. Systemd nowadays.