LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Odd, persistent files in /tmp (https://www.linuxquestions.org/questions/linux-general-1/odd-persistent-files-in-tmp-726065/)

joegumbo 05-14-2009 04:57 PM
Odd, persistent files in /tmp
 
Hi,

I hope I'm posting to the correct forum. I hope I don't have a security problem here... I'm not sure.

This is on a home desktop running Slackware 12.2 with default full install.

I've noticed that in the past, my /tmp directory was relatively empty. Of course it would fill up as I did things.. played YouTube vids, used OpenOffice, etc. But then, it would mostly clear out after a reboot with the exception of several entries which would be recreated. I'm finding files that I think should clear out including a .exe file. Even after a reboot, they're still there... even before I startx.

The only thing I'm doing differently is using fluxbox rather than KDE, but I cannot imagine that this would be the cause.

This is a list of files:
Quote:
bash-3.1$ cd /tmp
bash-3.1$ ls -l
total 24320
-rw------- 1 joegumbo users 21697 2009-04-14 00:24 49e40ff4a6e7e
-rw------- 1 joegumbo users 267589 2009-05-13 00:50 4j5pst3w.gz
-rw------- 1 joegumbo users 8710216 2009-05-09 14:17 FlashAH97a5
-rw------- 1 joegumbo users 5549942 2009-04-29 16:37 FlashM1Tjnf
-rw------- 1 joegumbo users 1349113 2009-05-06 22:48 FlashNxRcjh
-rw------- 1 joegumbo users 22122 2009-05-02 23:43 FlashSPOmpO
-rw------- 1 joegumbo users 602922 2009-05-03 14:34 FlashciMqKg
-rw------- 1 joegumbo users 1349113 2009-05-06 22:30 FlashfhchB2
-rw------- 1 joegumbo users 409286 2009-05-06 22:52 FlashpBWUut
-rw------- 1 joegumbo users 1349113 2009-05-06 22:25 FlashrhuAMf
-rw------- 1 joegumbo users 5185012 2009-05-09 23:52 bgjeth31.exe
-rw-r--r-- 1 root root 1001 2009-04-14 00:26 build-kqemu.log
-rwxr-xr-x 1 joegumbo users 406 2009-05-09 23:43 com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh
-rw------- 1 joegumbo users 1878 2009-05-14 17:10 djhrd52s.gz
-rw-r--r-- 1 joegumbo users 4444 2009-05-09 23:36 jar_cache5977765581354330334.tmp
drwx------ 2 joegumbo users 40 2009-05-14 17:42 kde-joegumbo
-rw------- 1 joegumbo users 33916 2009-05-13 01:01 ks12nl93.tgz
drwx------ 2 joegumbo users 32 2009-05-14 17:42 ksocket-joegumbo
-rw-r--r-- 1 root root 5033 2009-05-08 14:47 tmpGhxuUx
bash-3.1$
Btw, I've also deleted the flash files in .adobe and .macromedia from my home.

Thanks,
-Joe

chrism01 05-14-2009 09:28 PM
This

-rw-r--r-- 1 root root 1001 2009-04-14 00:26 build-kqemu.log

I think(?) implies you've installed QEMU, with MS in it? Hence the .exe ?

i92guboj 05-15-2009 12:32 AM
I don't know what the .exe file is about, it can be something that was downloaded from a dangerous site, however it won't run so wouldn't worry about it. Anyway, can you post the output for this command?


Code:
$ file /tmp/{com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh,bgjeth31.exe}
I am concerned that one of them might be a shell script, and shell scripts usually don't live in /tmp which is suspicious enough.

I also recommend installing rkhunter and running it. Just in case.

And finally, most distros offer a way to delete the contents of tmp directories at boot time. Maybe some other slackware user can advice you on how to go about that the slackware way.

joegumbo 05-15-2009 09:02 AM
Hello chrism01 & i92guboj!

Thanks for the help :)

Here's the output of the command:
Quote:
bash-3.1$ file /tmp/{com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh,bgjeth31.exe}
/tmp/com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh: a sh script text executable
/tmp/bgjeth31.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
bash-3.1$
I also did this:
Quote:
bash-3.1$ cat /tmp/com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh
#!/usr/bin/env sh

# This is an automatically generated Script.
# Usually this can be removed if the Generator
# was unable to remove the script after execution.

# Generator: com.izforge.izpack.util.os.unix.ShellScript
# $Id$
# Author: marc.eppelmann_at_gmx.de
# $Revision$
# Generated at: Sat May 09 23:43:38 EDT 2009


# /tmp/com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh
bash-3.1$
I suppose the .exe file could be tied in to Win4Lin, but I don't recall ever seeing it before. I'm pretty sure it's new.

I've run both rkhunter and chkrootkit; Both say I'm OK.

Thank you,
-Joe

joegumbo 05-15-2009 09:15 AM
This is odd...

Yesterday, I wasn't able to manually remove these extraneous files from /tmp using rm and rm -r. (Yes, I was root. :) ) After rebooting, they'd still be there. I just tried manually removing them again just now, and it worked.

Quote:
bash-3.1$ ls -l /tmp
total 16
-rw-r--r-- 1 root root 1001 2009-04-14 00:26 build-kqemu.log
drwxr-xr-x 2 joegumbo users 8 2009-05-14 20:16 hsperfdata_joegumbo
drwx------ 2 joegumbo users 4096 2009-05-15 10:15 kde-joegumbo
drwx------ 3 joegumbo users 4096 2009-05-15 10:15 ksocket-joegumbo
bash-3.1$

joegumbo 05-15-2009 09:29 AM
Generator: com.izforge.izpack.util.os.unix.ShellScript

seems to be related to PushToTest

http://www.siteadvisor.com/sites/pus...oads/13392373/

http://docs.pushtotest.com/docs/developers.html


All times are GMT -5. The time now is 06:33 PM.