LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 12-08-2013, 02:03 AM   #1
kenw232
Member
 
Registered: May 2006
Posts: 137

Rep: Reputation: 12
Strange files in my root


I'm trying to migrate to a Slackware 14.1 server and I'm seeing some strange files in my root. This is with ext4.

central x64(/): ls -l -a
total 182K
drwxr-xr-x 24 root root 4.0K Dec 8 00:59 ./
drwxr-xr-x 24 root root 4.0K Dec 8 00:59 ../
drwxr-xr-x 24 root root 4.0K Dec 7 08:15 apps/
drwxr-xr-x 2 root root 4.0K Dec 6 00:59 bin/
... stuff ...
drwxr-xr-x 2 root root 12K Dec 5 04:09 sbin/
dr-xr-xr-x 11 root root 0 Dec 7 20:50 sys/
drwx------ 3 root root 4.0K Dec 8 01:49 temp/
drwxrwxrwt 13 root root 41K Dec 7 08:45 tmp/
drwxr-xr-x 16 root root 4.0K May 13 2013 usr/
drwxr-xr-x 14 root root 4.0K Dec 6 03:18 var/
-rw-r----- 1 root root 33 Dec 7 08:26 \340\020\320
-rw-r----- 1 root root 33 Dec 6 21:20 \340\020\371
-rw-r----- 1 root root 33 Dec 7 04:43 \3400\342\001
-rw-r----- 1 root root 33 Dec 6 23:07 \340P\272
-rw-r----- 1 root root 33 Dec 7 05:50 \340\240\024\002
-rw-r----- 1 root root 33 Dec 6 21:37 \340\240q
-rw-r----- 1 root root 33 Dec 6 06:12 \340\320\254\001
-rw-r----- 1 root root 33 Dec 8 00:59 \340\340I\002
-rw-r----- 1 root root 33 Dec 7 08:46 \340\340\206\001

Anyone know what these \240 files are or how to remove them? How do I know what is making them? One appears to have a q in it, so I cat *q* and I get "Killing the monitor and stopping".
 
Old 12-08-2013, 02:33 AM   #2
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,302

Rep: Reputation: Disabled
I don't know where they come from but it's easy to see their contents and remove them just escaping the escape, e.g.
Code:
cat \\340\\020\\320
rm \\340\\020\\320
IIRC a filename in Linux can include any character but <NUL> '\0' and <slash> '/', so the <backslash> '\' is valid (but should be escaped when needed).

Last edited by Didier Spaier; 12-08-2013 at 03:00 AM. Reason: typos
 
Old 12-08-2013, 02:54 AM   #3
aus9
LQ 5k Club
 
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842

Rep: Reputation: Disabled
Hi

if you are truly running a server then you might like to consider downloading rootkit hunter and the like

2) after dl save tarball to a usb still then do a clean install of slack then run RKH with no net etc
You may need to harden your server.

There are a plenty of guides on hardening and link should get you started on RKH, with luck
http://sourceforge.net/apps/trac/rkh...MPRKH#Contents

consider also checking on your router settings, and software setting for ssh etc.

I don't run a server myself
 
Old 12-08-2013, 04:02 AM   #4
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,928

Rep: Reputation: 613Reputation: 613Reputation: 613Reputation: 613Reputation: 613Reputation: 613
That 'apps' folder is also non-standard.
 
Old 12-08-2013, 05:56 AM   #5
kenw232
Member
 
Registered: May 2006
Posts: 137

Original Poster
Rep: Reputation: 12
I deleted them with midnight commander because I couldn't escape them. I think they're from vmware tools maybe.
 
Old 12-08-2013, 09:52 AM   #6
kenw232
Member
 
Registered: May 2006
Posts: 137

Original Poster
Rep: Reputation: 12
How do I know what program created a given file?
 
Old 12-08-2013, 03:53 PM   #7
ljb643
Member
 
Registered: Nov 2003
Posts: 528

Rep: Reputation: Disabled
Quote:
Originally Posted by kenw232 View Post
How do I know what program created a given file?
You can't. There is no record of the program or process ID which created a file, as far as I know. Not without some kind of filesystem auditing turned on.

I really doubt you have a rootkit or other malware. They try really hard to hide, and this is hardly hiding.

My guess is you have something running as root which is buggy, and creating junk files with junk names. (That in itself is scary.) But since you found a text string in the files, you could try searching programs for that string. (Perhaps: grep --files-with-matches --text 'Killing the monitor' *)
 
Old 12-08-2013, 04:58 PM   #8
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Code:
$ echo -n "*Killing the monitor and stopping" | wc -c
33
Your weird files were all 33 bytes long so we'll assume all had the same string.

https://github.com/vrtadmin/clamav-d...onnpool.c#L247 might be somehow related.

Are you using clamav's sendmail milter by chance?

--mancha

Last edited by mancha; 12-09-2013 at 05:45 PM. Reason: Fixed awkwardness.
 
1 members found this post helpful.
Old 12-08-2013, 11:35 PM   #9
kenw232
Member
 
Registered: May 2006
Posts: 137

Original Poster
Rep: Reputation: 12
Yes, I do run sendmail, clamav, and the clamav milter. I had an issue installing it too. Thanks. I'll take a closer look.
 
Old 12-09-2013, 01:28 PM   #10
GNU/Linux
Member
 
Registered: Sep 2012
Distribution: Slackware-15
Posts: 121

Rep: Reputation: Disabled
Did you run some script or sed/awk commands that might have resulted in file creation? Sometimes it happens.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
a strange problem when converting video files to dvd-compatable files d00bid00b Slackware 0 12-01-2006 12:43 PM
Strange root login RichM Linux - Security 9 07-07-2006 03:53 PM
Downloading files into root or write files to root RaleighRalley Linux - Newbie 2 07-01-2006 11:56 PM
Strange root behaviour wardjame Linux - Newbie 7 11-10-2005 10:25 AM
root files: create as root:root or root:wheel? pcass Linux - Security 1 02-07-2004 05:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration