LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-24-2005, 02:16 PM   #1
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Rep: Reputation: 15
'funny' files in /tmp/orbit-root/


I have 10 or 20 strange files in a folder called /tmp/orbit-root/ that have names like
linc-e8e-0-2b61a9f6550a1, and are of the type "x-special socket", are zero bytes, and have the permission string: -rwxr-xr-x (755).
Also, I seem to always have 2 instances of dhclient running:
udp 0 0 *:bootpc *:* 1857/dhclient
udp 0 0 *:bootpc *:* 1367/dhclient
.
Does anyone know offhand if this is normal?
 
Old 07-24-2005, 08:06 PM   #2
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 52
Offhand yes this is perfectly normal. Dhclient would be run if you're network card is set to get its IP off your ISP using DHCP, this is probably the most common configuration these days.
The /tmp/orbit stuff is created by the ORBit CORBA thingo. This is a normal system component used in many GUI apps - mainly those that use GTK and/or GNOME.

Code:
rpm -qi ORBit

ORBit is a high-performance CORBA (Common Object Request Broker
Architecture) ORB (object request broker). It allows programs to send
requests and receive replies from other programs, regardless of the
locations of the two programs. CORBA is an architecture that enables
communication between program objects, regardless of the programming
language they are written in or the operating system they run on.

You will need to install this package and ORBit-devel if you want to
write programs that use CORBA technology
 
Old 07-24-2005, 11:07 PM   #3
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
Thanks for the response --- I'm new to *NIX. I guess this CORBA is as close a protocol to COM & DCOM as there is. I lock down my firewall with
:FORWARD DROP [0:0]
:INPUT DROP [4:764]
:OUTPUT DROP [32:2292]
when I'm not using the system, but I notice ethereal can still log any packets on the wire, my point being that perhaps a trojan could still receive input even under this draconian ruleset, maybe masquerading as dhclient to call home? Well, I suppose if there is already such a process running to start with, all is lost, and the only way a firewall can be effective is if it's running on a clean system and all it can realisticaly be expected to do is help keep a clean system clean --- it's unreal;istic to think it can uncompromise a compromised box.

thanks. I guess I can consider this issue resolved.
 
Old 07-24-2005, 11:34 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Ethereal captures raw packets directly from the interface. It is possible, but unlikely, for software to do the same. I also believe that it is IMPOSSIBLE for software to send packets without it traversing IPTables: hence, only one side of a conversation would work, making a TCP connection impossible.
 
Old 07-24-2005, 11:38 PM   #5
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 52
Quote:
ethereal can still log any packets on the wire
Of course - ethereal can still see the packets coming into or out of your machine wether the firewall ends up dropping them or rejecting them or whatever doesn't matter because ethereal's packet capture driver works at a low level. This is why it usually asks you to run it as root when you start it.

Quote:
Well, I suppose if there is already such a process running to start with, all is lost
Yeah exactly. Even if you blocked everything incoming and outgoing except for port 80 outgoing your trojan could still contact the hacker's computer on port 80 and establish a connection. Trojans and viruses are extremely rare on linux, to the point where as long as you don't do anything stupid you dont have to worry about them.
 
Old 07-26-2005, 02:30 PM   #6
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
-------------------
Trojans and viruses are extremely rare on linux, to the point where as long as you don't do anything stupid you dont have to worry about them.
------------------

Yep --- thats why I switched. Too much trouble keeping the rabble out of my winXP system --- compounded by the fact that windows doesn't come with much ware to start with, necessitating the downloading of many (potentialy treacherous) apps that you can never be too sure of because they're proprietary and default-configured for minimizing support calls, not maximim security (ie all services up, remote desktop available for 'support people', etc). You know, with winXP home, you're simply not supposed to be able to remove the guest account or prevent null sessions? And I don't even have anything valuable on my system, all they're after is my lousy megabit class bandwidth --- the lamers.

OK, thanks guys --- I guess this one's resolved now, too.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/tmp files Risc91 AIX 4 01-18-2005 02:06 PM
Root directories /tmp, /var, /etc ninmonkeys Linux - General 7 11-21-2004 01:49 PM
Deleting tmp files satimis Fedora 6 10-31-2004 08:59 PM
Changing Orbit tmp location ciaran_skye Mandriva 0 06-15-2004 01:37 PM
Numerous scb_*.tmp files in /tmp dburk Programming 3 08-18-2003 04:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration