LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 05-14-2009, 04:57 PM   #1
joegumbo
Member
 
Registered: Sep 2006
Distribution: Frugalware
Posts: 228

Rep: Reputation: 32
Odd, persistent files in /tmp


Hi,

I hope I'm posting to the correct forum. I hope I don't have a security problem here... I'm not sure.

This is on a home desktop running Slackware 12.2 with default full install.

I've noticed that in the past, my /tmp directory was relatively empty. Of course it would fill up as I did things.. played YouTube vids, used OpenOffice, etc. But then, it would mostly clear out after a reboot with the exception of several entries which would be recreated. I'm finding files that I think should clear out including a .exe file. Even after a reboot, they're still there... even before I startx.

The only thing I'm doing differently is using fluxbox rather than KDE, but I cannot imagine that this would be the cause.

This is a list of files:
Quote:
bash-3.1$ cd /tmp
bash-3.1$ ls -l
total 24320
-rw------- 1 joegumbo users 21697 2009-04-14 00:24 49e40ff4a6e7e
-rw------- 1 joegumbo users 267589 2009-05-13 00:50 4j5pst3w.gz
-rw------- 1 joegumbo users 8710216 2009-05-09 14:17 FlashAH97a5
-rw------- 1 joegumbo users 5549942 2009-04-29 16:37 FlashM1Tjnf
-rw------- 1 joegumbo users 1349113 2009-05-06 22:48 FlashNxRcjh
-rw------- 1 joegumbo users 22122 2009-05-02 23:43 FlashSPOmpO
-rw------- 1 joegumbo users 602922 2009-05-03 14:34 FlashciMqKg
-rw------- 1 joegumbo users 1349113 2009-05-06 22:30 FlashfhchB2
-rw------- 1 joegumbo users 409286 2009-05-06 22:52 FlashpBWUut
-rw------- 1 joegumbo users 1349113 2009-05-06 22:25 FlashrhuAMf
-rw------- 1 joegumbo users 5185012 2009-05-09 23:52 bgjeth31.exe
-rw-r--r-- 1 root root 1001 2009-04-14 00:26 build-kqemu.log
-rwxr-xr-x 1 joegumbo users 406 2009-05-09 23:43 com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh
-rw------- 1 joegumbo users 1878 2009-05-14 17:10 djhrd52s.gz
-rw-r--r-- 1 joegumbo users 4444 2009-05-09 23:36 jar_cache5977765581354330334.tmp
drwx------ 2 joegumbo users 40 2009-05-14 17:42 kde-joegumbo
-rw------- 1 joegumbo users 33916 2009-05-13 01:01 ks12nl93.tgz
drwx------ 2 joegumbo users 32 2009-05-14 17:42 ksocket-joegumbo
-rw-r--r-- 1 root root 5033 2009-05-08 14:47 tmpGhxuUx
bash-3.1$
Btw, I've also deleted the flash files in .adobe and .macromedia from my home.

Thanks,
-Joe

Last edited by joegumbo; 05-14-2009 at 07:24 PM.
 
Old 05-14-2009, 09:28 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
This

-rw-r--r-- 1 root root 1001 2009-04-14 00:26 build-kqemu.log

I think(?) implies you've installed QEMU, with MS in it? Hence the .exe ?
 
Old 05-15-2009, 12:32 AM   #3
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,040

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
I don't know what the .exe file is about, it can be something that was downloaded from a dangerous site, however it won't run so wouldn't worry about it. Anyway, can you post the output for this command?


Code:
$ file /tmp/{com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh,bgjeth31.exe}
I am concerned that one of them might be a shell script, and shell scripts usually don't live in /tmp which is suspicious enough.

I also recommend installing rkhunter and running it. Just in case.

And finally, most distros offer a way to delete the contents of tmp directories at boot time. Maybe some other slackware user can advice you on how to go about that the slackware way.
 
Old 05-15-2009, 09:02 AM   #4
joegumbo
Member
 
Registered: Sep 2006
Distribution: Frugalware
Posts: 228

Original Poster
Rep: Reputation: 32
Hello chrism01 & i92guboj!

Thanks for the help

Here's the output of the command:
Quote:
bash-3.1$ file /tmp/{com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh,bgjeth31.exe}
/tmp/com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh: a sh script text executable
/tmp/bgjeth31.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
bash-3.1$
I also did this:
Quote:
bash-3.1$ cat /tmp/com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh
#!/usr/bin/env sh

# This is an automatically generated Script.
# Usually this can be removed if the Generator
# was unable to remove the script after execution.

# Generator: com.izforge.izpack.util.os.unix.ShellScript
# $Id$
# Author: marc.eppelmann_at_gmx.de
# $Revision$
# Generated at: Sat May 09 23:43:38 EDT 2009


# /tmp/com.izforge.izpack.util.os.Unix_Shortcut12419270299536450866496261041279.sh
bash-3.1$
I suppose the .exe file could be tied in to Win4Lin, but I don't recall ever seeing it before. I'm pretty sure it's new.

I've run both rkhunter and chkrootkit; Both say I'm OK.

Thank you,
-Joe

Last edited by joegumbo; 05-15-2009 at 09:04 AM.
 
Old 05-15-2009, 09:15 AM   #5
joegumbo
Member
 
Registered: Sep 2006
Distribution: Frugalware
Posts: 228

Original Poster
Rep: Reputation: 32
This is odd...

Yesterday, I wasn't able to manually remove these extraneous files from /tmp using rm and rm -r. (Yes, I was root. ) After rebooting, they'd still be there. I just tried manually removing them again just now, and it worked.

Quote:
bash-3.1$ ls -l /tmp
total 16
-rw-r--r-- 1 root root 1001 2009-04-14 00:26 build-kqemu.log
drwxr-xr-x 2 joegumbo users 8 2009-05-14 20:16 hsperfdata_joegumbo
drwx------ 2 joegumbo users 4096 2009-05-15 10:15 kde-joegumbo
drwx------ 3 joegumbo users 4096 2009-05-15 10:15 ksocket-joegumbo
bash-3.1$

Last edited by joegumbo; 05-15-2009 at 09:20 AM.
 
Old 05-15-2009, 09:29 AM   #6
joegumbo
Member
 
Registered: Sep 2006
Distribution: Frugalware
Posts: 228

Original Poster
Rep: Reputation: 32
Generator: com.izforge.izpack.util.os.unix.ShellScript

seems to be related to PushToTest

http://www.siteadvisor.com/sites/pus...oads/13392373/

http://docs.pushtotest.com/docs/developers.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Persistent change files for live-CD distros, how to manage. digby Linux - Software 2 01-24-2009 02:36 PM
persistent static routes, not so persistent Hewson Linux - Networking 4 04-27-2007 05:09 PM
what to do with files in /tmp Valkyrie_of_valhalla Linux - General 17 09-13-2006 03:44 PM
/tmp files Risc91 AIX 4 01-18-2005 02:06 PM
Numerous scb_*.tmp files in /tmp dburk Programming 3 08-18-2003 04:28 PM


All times are GMT -5. The time now is 07:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration