Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-08-2013, 02:03 AM
|
#1
|
Member
Registered: May 2006
Posts: 137
Rep:
|
Strange files in my root
I'm trying to migrate to a Slackware 14.1 server and I'm seeing some strange files in my root. This is with ext4.
central x64(/): ls -l -a
total 182K
drwxr-xr-x 24 root root 4.0K Dec 8 00:59 ./
drwxr-xr-x 24 root root 4.0K Dec 8 00:59 ../
drwxr-xr-x 24 root root 4.0K Dec 7 08:15 apps/
drwxr-xr-x 2 root root 4.0K Dec 6 00:59 bin/
... stuff ...
drwxr-xr-x 2 root root 12K Dec 5 04:09 sbin/
dr-xr-xr-x 11 root root 0 Dec 7 20:50 sys/
drwx------ 3 root root 4.0K Dec 8 01:49 temp/
drwxrwxrwt 13 root root 41K Dec 7 08:45 tmp/
drwxr-xr-x 16 root root 4.0K May 13 2013 usr/
drwxr-xr-x 14 root root 4.0K Dec 6 03:18 var/
-rw-r----- 1 root root 33 Dec 7 08:26 \340\020\320
-rw-r----- 1 root root 33 Dec 6 21:20 \340\020\371
-rw-r----- 1 root root 33 Dec 7 04:43 \3400\342\001
-rw-r----- 1 root root 33 Dec 6 23:07 \340P\272
-rw-r----- 1 root root 33 Dec 7 05:50 \340\240\024\002
-rw-r----- 1 root root 33 Dec 6 21:37 \340\240q
-rw-r----- 1 root root 33 Dec 6 06:12 \340\320\254\001
-rw-r----- 1 root root 33 Dec 8 00:59 \340\340I\002
-rw-r----- 1 root root 33 Dec 7 08:46 \340\340\206\001
Anyone know what these \240 files are or how to remove them? How do I know what is making them? One appears to have a q in it, so I cat *q* and I get "Killing the monitor and stopping".
|
|
|
12-08-2013, 02:33 AM
|
#2
|
LQ Addict
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,302
Rep: 
|
I don't know where they come from but it's easy to see their contents and remove them just escaping the escape, e.g.
Code:
cat \\340\\020\\320
rm \\340\\020\\320
IIRC a filename in Linux can include any character but <NUL> '\0' and <slash> '/', so the <backslash> '\' is valid (but should be escaped when needed).
Last edited by Didier Spaier; 12-08-2013 at 03:00 AM.
Reason: typos
|
|
|
12-08-2013, 02:54 AM
|
#3
|
LQ 5k Club
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842
Rep: 
|
Hi
if you are truly running a server then you might like to consider downloading rootkit hunter and the like
2) after dl save tarball to a usb still then do a clean install of slack then run RKH with no net etc
You may need to harden your server.
There are a plenty of guides on hardening and link should get you started on RKH, with luck
http://sourceforge.net/apps/trac/rkh...MPRKH#Contents
consider also checking on your router settings, and software setting for ssh etc.
I don't run a server myself
|
|
|
12-08-2013, 04:02 AM
|
#4
|
Amigo developer
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,928
|
That 'apps' folder is also non-standard.
|
|
|
12-08-2013, 05:56 AM
|
#5
|
Member
Registered: May 2006
Posts: 137
Original Poster
Rep:
|
I deleted them with midnight commander because I couldn't escape them. I think they're from vmware tools maybe.
|
|
|
12-08-2013, 09:52 AM
|
#6
|
Member
Registered: May 2006
Posts: 137
Original Poster
Rep:
|
How do I know what program created a given file?
|
|
|
12-08-2013, 03:53 PM
|
#7
|
Member
Registered: Nov 2003
Posts: 528
Rep: 
|
Quote:
Originally Posted by kenw232
How do I know what program created a given file?
|
You can't. There is no record of the program or process ID which created a file, as far as I know. Not without some kind of filesystem auditing turned on.
I really doubt you have a rootkit or other malware. They try really hard to hide, and this is hardly hiding.
My guess is you have something running as root which is buggy, and creating junk files with junk names. (That in itself is scary.) But since you found a text string in the files, you could try searching programs for that string. (Perhaps: grep --files-with-matches --text 'Killing the monitor' *)
|
|
|
12-08-2013, 04:58 PM
|
#8
|
Member
Registered: Aug 2012
Posts: 484
Rep: 
|
Code:
$ echo -n "*Killing the monitor and stopping" | wc -c
33
Your weird files were all 33 bytes long so we'll assume all had the same string.
https://github.com/vrtadmin/clamav-d...onnpool.c#L247 might be somehow related.
Are you using clamav's sendmail milter by chance?
--mancha
Last edited by mancha; 12-09-2013 at 05:45 PM.
Reason: Fixed awkwardness.
|
|
1 members found this post helpful.
|
12-08-2013, 11:35 PM
|
#9
|
Member
Registered: May 2006
Posts: 137
Original Poster
Rep:
|
Yes, I do run sendmail, clamav, and the clamav milter. I had an issue installing it too. Thanks. I'll take a closer look.
|
|
|
12-09-2013, 01:28 PM
|
#10
|
Member
Registered: Sep 2012
Distribution: Slackware-15
Posts: 121
Rep: 
|
Did you run some script or sed/awk commands that might have resulted in file creation? Sometimes it happens.
|
|
|
All times are GMT -5. The time now is 08:37 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|