'funny' files in /tmp/orbit-root/
 

I have 10 or 20 strange files in a folder called /tmp/orbit-root/ that have names like
linc-e8e-0-2b61a9f6550a1, and are of the type "x-special socket", are zero bytes, and have the permission string: -rwxr-xr-x (755).
Also, I seem to always have 2 instances of dhclient running:
udp 0 0 *:bootpc *:* 1857/dhclient
udp 0 0 *:bootpc *:* 1367/dhclient
.
Does anyone know offhand if this is normal?

Offhand yes this is perfectly normal. Dhclient would be run if you're network card is set to get its IP off your ISP using DHCP, this is probably the most common configuration these days.
The /tmp/orbit stuff is created by the ORBit CORBA thingo. This is a normal system component used in many GUI apps - mainly those that use GTK and/or GNOME.

Thanks for the response --- I'm new to *NIX. I guess this CORBA is as close a protocol to COM & DCOM as there is. I lock down my firewall with
:FORWARD DROP [0:0]
:INPUT DROP [4:764]
:OUTPUT DROP [32:2292]
when I'm not using the system, but I notice ethereal can still log any packets on the wire, my point being that perhaps a trojan could still receive input even under this draconian ruleset, maybe masquerading as dhclient to call home? Well, I suppose if there is already such a process running to start with, all is lost, and the only way a firewall can be effective is if it's running on a clean system and all it can realisticaly be expected to do is help keep a clean system clean --- it's unreal;istic to think it can uncompromise a compromised box.
:)
thanks. I guess I can consider this issue resolved.

Ethereal captures raw packets directly from the interface. It is possible, but unlikely, for software to do the same. I also believe that it is IMPOSSIBLE for software to send packets without it traversing IPTables: hence, only one side of a conversation would work, making a TCP connection impossible.

Of course - ethereal can still see the packets coming into or out of your machine wether the firewall ends up dropping them or rejecting them or whatever doesn't matter because ethereal's packet capture driver works at a low level. This is why it usually asks you to run it as root when you start it.

Yeah exactly. Even if you blocked everything incoming and outgoing except for port 80 outgoing your trojan could still contact the hacker's computer on port 80 and establish a connection. Trojans and viruses are extremely rare on linux, to the point where as long as you don't do anything stupid you dont have to worry about them.

-------------------
Trojans and viruses are extremely rare on linux, to the point where as long as you don't do anything stupid you dont have to worry about them.
------------------

Yep --- thats why I switched. Too much trouble keeping the rabble out of my winXP system --- compounded by the fact that windows doesn't come with much ware to start with, necessitating the downloading of many (potentialy treacherous) apps that you can never be too sure of because they're proprietary and default-configured for minimizing support calls, not maximim security (ie all services up, remote desktop available for 'support people', etc). You know, with winXP home, you're simply not supposed to be able to remove the guest account or prevent null sessions? And I don't even have anything valuable on my system, all they're after is my lousy megabit class bandwidth --- the lamers.

OK, thanks guys --- I guess this one's resolved now, too.
:)