Deleted files that are still in use? (malware?)

whatthe · 4 December 2020 00:24

I was given a warning by both rkhunter and lynis that some deleted files are still in use.
I am afraid it’s malware.

How do you deal with deleted files that are still in use?
I do have a list of the deleted files

find /proc/*/fd -ls | grep  '(deleted)'

cscs · 4 December 2020 00:34

well what are they? whats using them?

Yochanan · 4 December 2020 00:36

If you delete a file on disk that’s still in memory, it does not remove it from memory. Reboot and run the scans again, you’ll see those warnings (that’s all they are) are gone.

Running scans like that will report a lot of false positives and / or potential security risks. Please read the documentation of both tools before crying malware just because they detect something.

whatthe · 4 December 2020 07:08

I’m afraid it’s not just a warning. I have run the tests multiple times after a reboot and they still come up.
I also have not deleted the files myself.

Here is the deleted files list from lynis:

2020-12-04 00:39:32 Performing test ID LOGG-2190 (Checking for deleted files in use)
2020-12-04 00:39:32 Test: checking deleted files that are still in use
2020-12-04 00:39:32 Result: found one or more files which are deleted, but still in use
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.11(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.11(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.11(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.11(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.110(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.110(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.110(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.110(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.111(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.111(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.111(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.111(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.12(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.12(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.12(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.12(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.13(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.13(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.13(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.13(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.14(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.14(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.14(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.14(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.15(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.15(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.15(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.15(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.16(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.16(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.16(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.16(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.17(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.17(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.17(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.17(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.18(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.18(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.18(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.18(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.19(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.19(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.19(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.19(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.20(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.20(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.20(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.20(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.21(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.21(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.21(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.21(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.22(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.22(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.22(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.22(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.4(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.4(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.4(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.4(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.5(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.5(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.5(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.5(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.6(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.6(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.6(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.6(firefox)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.9(Privilege)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.9(WebExtens)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.9(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /dev/shm/org.mozilla.ipc.9.9(firefox)
2020-12-04 00:39:32 Found deleted file: /home/frank/.cache/event-sound-cache.tdb.62a4b365d45545b29068f9a2b6c3d025.x86_64-pc-linux-gnu(xfwm4)
2020-12-04 00:39:32 Found deleted file: /home/frank/.cache/ksycoca5_en_spJNYJm0YYC+kK_hakTU1nhjZ34=(akonadi_g)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(0)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(Privilege)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(Thunar)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(WebExtens)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(Web\x20Co)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(agent)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadi_a)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadi_b)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadi_c)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadi_g)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadi_i)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadi_m)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadi_n)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(akonadise)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(albert)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(applet.py)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(deja-dup-)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(firefox)
2020-12-04 00:39:32 Found deleted file: /home/frank/.xsession-errors(firejail)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(korgac)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(light-loc)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(msm_notif)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(nm-applet)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(pamac-tra)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(panel-10-)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(panel-11-)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(panel-12-)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(panel-2-a)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(panel-6-s)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(panel-8-w)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(panel-9-p)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(plank)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(redshift-)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfce4-cli)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfce4-not)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfce4-pan)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfce4-ses)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfce4-ter)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfdesktop)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfsetting)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xfwm4)
2020-12-04 00:39:33 Found deleted file: /home/frank/.xsession-errors(xiccd)
2020-12-04 00:39:33 Found deleted file: /memfd:pulseaudio(pulseaudi)
2020-12-04 00:39:33 Found deleted file: /memfd:xshmfence(Xorg)
2020-12-04 00:39:33 Found deleted file: /usr/share/icons/hicolor/icon-theme.cache(korgac)
2020-12-04 00:39:33 Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]

deleted files list from rkhunter:

[06:06:33] Info: Starting test name 'malware'
[06:06:33] Performing malware checks
[06:06:33] Info: Starting test name 'deleted_files'
[06:08:55]   Checking running processes for deleted files    [ Warning ]
[06:08:55] Warning: The following processes are using deleted files:
[06:08:55]          Process: /usr/lib/Xorg    PID: 1112    File: /memfd:xshmfence
[06:08:55]          Process: /usr/bin/xfce4-session    PID: 1558    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/bin/xfwm4    PID: 1617    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/bin/xfsettingsd    PID: 1625    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/bin/xfce4-panel    PID: 1626    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/bin/pulseaudio    PID: 1628    File: /memfd:pulseaudio
[06:08:55]          Process: /usr/bin/thunar    PID: 1636    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/lib/xfce4/panel/wrapper-2.0    PID: 1641    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/bin/xfdesktop    PID: 1642    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/lib/xfce4/panel/wrapper-2.0    PID: 1643    File: /home/frank/.xsession-errors
[06:08:55]          Process: /usr/lib/xfce4/panel/wrapper-2.0    PID: 1645    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/lib/xfce4/panel/wrapper-2.0    PID: 1647    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/lib/xfce4/panel/wrapper-2.0    PID: 1648    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/lib/xfce4/panel/wrapper-2.0    PID: 1649    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/lib/xfce4/panel/wrapper-2.0    PID: 1650    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/xfce4-clipman    PID: 1701    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/korgac    PID: 1708    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/python3.8    PID: 1711    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/albert    PID: 1712    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/plank    PID: 1713    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/light-locker    PID: 1714    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/lib/deja-dup/deja-dup-monitor    PID: 1716    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/nm-applet    PID: 1728    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/lib/geoclue-2.0/demos/agent    PID: 1748    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/bin/msm_notifier    PID: 1757    File: /home/frank/.xsession-errors
[06:08:56]          Process: /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1    PID: 1758    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/xiccd    PID: 1765    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/pamac-tray    PID: 1768    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/python3.8    PID: 1770    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/lib/xfce4/notifyd/xfce4-notifyd    PID: 1771    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_control    PID: 1943    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadiserver    PID: 1950    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/mariadbd    PID: 1955    File: /tmp/ibjLaqE3
[06:08:57]          Process: /usr/bin/akonadi_akonotes_resource    PID: 2019    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_birthdays_resource    PID: 2020    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_contacts_resource    PID: 2021    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_google_resource    PID: 2022    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_ical_resource    PID: 2024    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_indexing_agent    PID: 2025    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_maildir_resource    PID: 2026    File: /home/frank/.xsession-errors
[06:08:57]          Process: /usr/bin/akonadi_maildispatcher_agent    PID: 2028    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/bin/akonadi_migration_agent    PID: 2029    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/bin/akonadi_newmailnotifier_agent    PID: 2033    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/bin/firejail    PID: 51227    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/bin/xdg-dbus-proxy    PID: 51230    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/bin/firejail    PID: 51232    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 51241    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 51297    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 51363    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 51393    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 51915    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 52263    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 52317    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/lib/firefox/firefox    PID: 53455    File: /home/frank/.xsession-errors
[06:08:58]          Process: /usr/bin/xfce4-terminal    PID: 53485    File: /home/frank/.xsession-errors

bogdancovaciu · 4 December 2020 07:59

I suggest you to read this

whatthe · 4 December 2020 13:29

Thanks I read it. But it’s not about deleted files that processes are using.

Aragorn · 4 December 2020 14:58

Files on /dev/shm are created as necessary. /dev/shm is a tmpfs, a virtual-memory-based filesystem. ~/.xsession-errors is also created as necessary. It’s the error log of your X11 server, and it’ll log every error or warning that you get in your GUI session ─ or at least, with X11, because Wayland is different.

I see nothing unusual in the output of your scan.

linux-aarhus · 9 February 2022 18:20