Suspicious file flagged in /dev/shm/

O

oldtimer

New Member
Feb 2, 2024
6
0
1
I know that chkrootkit is notorious for false positives, but can anyone advise if the following is an expected file?
Code: 
/dev/shm/qb-3175-3098-32-U8B4Ow/qb-request-cpg-data

It appears to be encryped as nano just returns gobbledygook.

cat gives a bit more info and it appears to be mostly logging information about PIDs and various VMs. The file also appears to be persistent staying around and not trying to hide, so I am guessing it is unlikely malware, but if anyone has any further insights I would appreciate it.

qb from an internet search appears to be a legitimate data gathering source, but I have not heard of it before.
 
oldtimer said:
It appears to be encryped as nano just returns gobbledygook.
Click to expand...
Or it is just binary.

According to my quick inspection, this are just shared memory files, the PVE internally uses:

Code: 
root@proxmox /dev/shm > ls -l
insgesamt 0
drwxrwx--- 2 root root 160 10. Okt 07:17 qb-2250-12885-21-XRUvLx
drwxrwx--- 2 root root 160 11. Okt 13:14 qb-2250-1411866-22-xDWEPx
drwxrwx--- 2 root root 160 11. Okt 14:54 qb-2250-1598119-28-0BzIWy
drwxrwx--- 2 root root 160 11. Okt 16:31 qb-2250-1779002-26-7jzO0O
drwxrwx--- 2 root root 160 10. Okt 07:17 qb-2250-2257134-16-mjcodM
drwxrwx--- 2 root root 160 10. Okt 07:17 qb-2250-2257166-19-79Xoim
drwxrwx--- 2 root root 160 10. Okt 07:17 qb-2250-2257217-17-x3JWpc
drwxrwx--- 2 root root 160 10. Okt 07:17 qb-2250-2257240-18-AFl15l
drwxrwx--- 2 root root 160 19. Jul 20:33 qb-2250-2267-10-Dxtau9
drwxrwx--- 2 root root 160 19. Jul 20:33 qb-2250-2268-15-QnwsHg
drwxrwx--- 2 root root 160 10. Okt 07:17 qb-2250-2270-23-vd5yon

root@proxmox /dev/shm > ps auxf > /tmp/ps.out

root@proxmox /dev/shm > grep -E "($( ls -1 | cut -d- -f3 | tr '\n' '|' )^USER)" /tmp/ps.out
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        2268  0.8  0.1 292312 102896 ?       Ss   Jul19 1223:13 pve-firewall
root        2270  7.0  0.1 301816 128868 ?       Rs   Jul19 10161:57 pvestatd
root     1411866  0.0  0.2 378724 148628 ?       S    Okt11   1:16  \_ pvedaemon worker
root     1598119  0.0  0.2 378744 148372 ?       S    Okt11   1:03  \_ pvedaemon worker
root     1779002  0.0  0.2 378716 147604 ?       S    Okt11   0:55  \_ pvedaemon worker
root       12885  0.0  0.1 352344 131192 ?       Ss   Jul19  14:20 pvescheduler
root     2257166  0.0  0.1 356052 114664 ?       Ss   Okt10   3:31 pve-ha-lrm
root     2257240  0.0  0.1 356620 115216 ?       Ss   Okt10   2:12 pve-ha-crm
 
  • Like
Reactions: Johannes S
yes, these files are benign - they are part of an IPC library used by corosync ("libqb"), which backs the /etc/pve filesystem and clustering features of PVE.
 
  • Like
Reactions: Johannes S
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back