Rkhunter says warning for "/dev/shm/libpod_rootless_lock_1000: data"

tckosvic · October 13, 2025, 9:02pm

My commercial email was hacked as seen in public info. A couple of vdays ago, I received threatening email that contained my password accurately. It said that they had put ROOTKIT malware on my computer. I was to pay them $500.

I am not seriously worried as I am 100% linux and I doubt if they figured that out or knew how to deal with it.

As a precaution, I ran rkhunter. rkhunter -c command give warning below:

[15:40:11] Performing filesystem checks
[15:40:11] Info: SCAN_MODE_DEV set to 'THOROUGH'
[15:40:14]   Checking /dev for suspicious file types         [ Warning ]
[15:40:15] Warning: Suspicious file types found in /dev:
[15:40:15]          /dev/shm/libpod_rootless_lock_1000: data
[15:40:15] Info: Found hidden file '/etc/.updated': it is whitelisted.
[15:40:15] Info: Found hidden file '/dev/.blkid.tab': it is whitelisted.
[15:40:15] Info: Found hidden file '/dev/.blkid.tab.old': it is whitelisted.
[15:40:15] Info: Found hidden file '/usr/bin/.fipscheck.hmac': it is whitelisted.

Would any one know what “/dev/shm/libpod_rootless_lock_1000: data” indicates and whether it is serious?

thanks, tom kosvic

malcolmlewis · October 13, 2025, 9:31pm

@tckosvic your running podman rootless…

tckosvic · October 13, 2025, 10:26pm

I was experimenting with podman at one point. Don’t use it for anything. This file is owned by user; not root.
Is this indicator a serious issue? Is this any indicator of a ROOTKIT?

I am thinking not.

thanks, tom kosvic

malcolmlewis · October 13, 2025, 10:37pm

@tckosvic nope it’s got your user id (1000) there, if not using Podman, then just delete, but nothing related to any hacking…

tckosvic · October 13, 2025, 10:38pm

wwwhhhheeeeeewwww, thanks

system · November 12, 2025, 10:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.