You are not logged in.
- Topics: Active | Unanswered
#1 2017-02-18 12:55:55
- Nektarios
- Member
- Registered: 2013-02-19
- Posts: 90
strange big hidden binary files in user dir
I noticed (I know I took a long time to notice) some strange files in my ~/:
~ $ ls -lah
total 19G
drwx------ 1 nektarios nektarios 9.2K Φεβ 18 14:33 .
drwxr-xr-x 1 root root 44 Σεπ 26 2015 ..
-rw-r--r-- 1 nektarios nektarios 104 Οκτ 3 2015 1
-rw------- 1 nektarios nektarios 63 Οκτ 7 2015 :1
-rw------- 1 nektarios nektarios 29M Φεβ 12 13:18 .1001
-rw------- 1 nektarios nektarios 69M Φεβ 18 01:02 .1003
-rw------- 1 nektarios nektarios 3.3M Ιαν 28 22:38 .10437
-rw------- 1 nektarios nektarios 40M Ιαν 12 05:00 .1051
-rw------- 1 nektarios nektarios 3.3M Ιαν 28 22:15 .11195
-rw------- 1 nektarios nektarios 3.0M Ιαν 28 22:15 .11197
-rw------- 1 nektarios nektarios 30M Φεβ 14 21:28 .11264
-rw------- 1 nektarios nektarios 822M Φεβ 18 01:00 .11718
-rw------- 1 root root 22M Ιαν 16 03:09 .11819
-rw------- 1 root root 22M Ιαν 16 03:09 .12060
-rw------- 1 nektarios nektarios 364M Φεβ 5 22:27 .12142
-rw------- 1 root root 22M Ιαν 16 03:09 .12169
-rw------- 1 nektarios nektarios 3.3M Ιαν 31 01:37 .12215
-rw------- 1 nektarios nektarios 3.3M Ιαν 14 17:11 .1234
-rw------- 1 nektarios nektarios 2.3M Ιαν 25 01:15 .12343
-rw------- 1 nektarios nektarios 3.0M Ιαν 14 17:11 .1236
-rw------- 1 nektarios nektarios 3.2M Ιαν 25 01:15 .12422
-rw------- 1 nektarios nektarios 33M Ιαν 25 01:18 .12490
-rw------- 1 nektarios nektarios 29M Φεβ 12 06:59 .1301
-rw------- 1 nektarios nektarios 67M Φεβ 12 07:09 .1306
-rw------- 1 nektarios nektarios 365M Ιαν 31 01:37 .15627
-rw------- 1 nektarios nektarios 3.3M Ιαν 3 01:11 .16060
-rw------- 1 nektarios nektarios 3.0M Ιαν 3 01:11 .16062
-rw------- 1 nektarios nektarios 314M Φεβ 12 05:27 .16832
-rw------- 1 nektarios nektarios 3.3M Ιαν 8 21:54 .1691
-rw------- 1 nektarios nektarios 3.3M Ιαν 2 01:49 .17387
-rw------- 1 nektarios nektarios 3.0M Ιαν 2 01:49 .17389
-rw------- 1 nektarios nektarios 3.3M Ιαν 8 21:54 .1806
-rw------- 1 nektarios nektarios 3.0M Ιαν 8 21:54 .1810
-rw------- 1 root root 4.3G Ιαν 9 01:49 .19069
-rw------- 1 root root 3.6G Ιαν 9 02:18 .20373
-rw------- 1 nektarios nektarios 2.3M Ιαν 25 01:26 .21252
-rw------- 1 nektarios nektarios 30M Φεβ 14 21:07 .2134
-rw------- 1 nektarios nektarios 39M Ιαν 26 21:00 .21405
-rw------- 1 nektarios nektarios 2.3M Ιαν 16 00:58 .22309
-rw------- 1 nektarios nektarios 2.3M Ιαν 16 00:58 .22332
-rw------- 1 root root 22M Ιαν 16 02:31 .2279
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 21:51 .2298
-rw------- 1 nektarios nektarios 3.3M Ιαν 8 23:49 .23375
-rw------- 1 nektarios nektarios 3.0M Ιαν 8 23:49 .23377
-rw------- 1 nektarios nektarios 30M Φεβ 14 21:07 .2351
-rw------- 1 nektarios nektarios 3.3M Ιαν 7 04:14 .24754
-rw------- 1 nektarios nektarios 3.0M Ιαν 7 04:14 .24760
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 21:52 .2481
-rw------- 1 nektarios nektarios 3.3M Ιαν 28 22:58 .2489
-rw------- 1 nektarios nektarios 38M Ιαν 16 05:00 .25134
-rw------- 1 nektarios nektarios 2.7G Φεβ 5 22:26 .25213
-rw------- 1 nektarios nektarios 30M Φεβ 14 20:57 .27049
-rw------- 1 nektarios nektarios 30M Φεβ 14 20:58 .27289
-rw------- 1 nektarios nektarios 3.3M Ιαν 28 23:01 .2765
-rw------- 1 nektarios nektarios 3.0M Ιαν 28 23:01 .2769
-rw------- 1 nektarios nektarios 2.3M Φεβ 7 10:26 .28514
-rw------- 1 nektarios nektarios 794M Φεβ 12 05:10 .28552
-rw------- 1 nektarios nektarios 30M Φεβ 13 00:32 .2934
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 21:52 .2971
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 21:52 .3132
-rw------- 1 nektarios nektarios 3.3M Ιαν 8 21:53 .31447
-rw------- 1 root root 3.5G Ιαν 9 02:20 .31807
-rw------- 1 nektarios nektarios 29M Φεβ 12 12:12 .31880
-rw------- 1 nektarios nektarios 65M Φεβ 12 12:13 .32009
-rw------- 1 nektarios nektarios 29M Φεβ 12 12:13 .32014
-rw------- 1 nektarios nektarios 29M Φεβ 12 13:02 .3230
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 21:54 .3253
-rw------- 1 nektarios nektarios 2.3M Φεβ 11 21:41 .3759
-rw------- 1 nektarios nektarios 3.2M Ιαν 25 01:09 .3814
-rw------- 1 nektarios nektarios 30M Φεβ 14 21:17 .3934
-rw------- 1 nektarios nektarios 2.4G Δεκ 31 23:36 .3996
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 21:42 .4135
-rw------- 1 nektarios nektarios 2.7G Φεβ 11 23:51 .4694
-rw------- 1 nektarios nektarios 2.4G Δεκ 31 23:38 .4916
-rw------- 1 nektarios nektarios 3.3M Φεβ 5 22:27 .536
-rw------- 1 nektarios nektarios 3.0M Φεβ 5 22:27 .542
-rw------- 1 nektarios nektarios 3.0M Φεβ 11 21:44 .5896
-rw------- 1 nektarios nektarios 2.3G Φεβ 11 21:46 .6985
-rw------- 1 nektarios nektarios 1.4M Ιαν 8 21:54 .705
-rw------- 1 nektarios nektarios 3.0M Φεβ 12 05:10 .7094
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 23:52 .7118
-rw------- 1 nektarios nektarios 1.3G Φεβ 12 05:25 .7341
-rw------- 1 nektarios nektarios 3.3M Ιαν 28 23:18 .7346
-rw------- 1 nektarios nektarios 3.3M Ιαν 28 23:18 .7471
-rw------- 1 nektarios nektarios 3.0M Ιαν 28 23:18 .7473
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 23:52 .7524
-rw------- 1 nektarios nektarios 2.3M Φεβ 11 21:40 .759
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 23:53 .7825
-rw------- 1 nektarios nektarios 1.3M Φεβ 9 23:56 .784
-rw------- 1 nektarios nektarios 3.2M Ιαν 25 01:07 .792
-rw------- 1 nektarios nektarios 2.5G Φεβ 11 21:51 .826
-rw------- 1 nektarios nektarios 30M Φεβ 14 21:25 .8831
-rw------- 1 nektarios nektarios 39M Φεβ 7 23:00 .886
-rw------- 1 nektarios nektarios 2.3M Φεβ 12 04:30 .8896
-rw------- 1 nektarios nektarios 40M Ιαν 30 11:00 .907
-rw------- 1 nektarios nektarios 40M Φεβ 2 21:00 .915
-rw------- 1 nektarios nektarios 39M Ιαν 14 21:00 .927
-rw------- 1 nektarios nektarios 29M Φεβ 12 12:53 .942
-rw------- 1 nektarios nektarios 3.3M Φεβ 5 23:20 .992
-rw------- 1 nektarios nektarios 3.3M Φεβ 12 04:19 .994
-rw------- 1 nektarios nektarios 3.0M Φεβ 12 04:19 .996
-rw------- 1 nektarios nektarios 30M Φεβ 14 21:02 .999
--- SNIP: other normal files ---With less I can see that they are binary files and they have ELF headers which means they are executables. This is all I know so far, anyone knows or can guess what they are and if they are leftovers of a privacy/exploit issue somewhere? This is my personal pc it's not in production or accessible from anywhere.
My wildest guess is that they may be some kind of core dumps, but from which application? I want to get rid of them asap, but I have to know what they are first.
Last edited by Nektarios (2017-02-18 12:56:45)
Offline
#2 2017-02-18 21:47:14
- Starfish
- Member
- From: Germany
- Registered: 2015-10-21
- Posts: 134
Re: strange big hidden binary files in user dir
I vaguely remember a similar issue on these forums and it turned out that the OP run 'cat' on a binary. But I am not willing to try this on my machine :-)
If this isn't it:
On the one hand, the file names could resemble PIDs. On the other hand, they are executables and could be running themselves. For both cases, did you look at 'top'?
Have you checked 'lsof' of the files?
Last edited by Starfish (2017-02-18 21:53:54)
"Yesterday is history, tomorrow is a mystery, but today is a gift. That is why it is called the present." - Master Oogway
Offline
#3 2017-02-19 23:53:44
- Nektarios
- Member
- Registered: 2013-02-19
- Posts: 90
Re: strange big hidden binary files in user dir
Ofcourse none of them are running and I checked some with lsof and nothing is using them.
They are really very strange because some of them are 3GB+ and they still start with ELF header and I never seen any executable being that big. Also some of them are owned by my user and a few of them owned by root.
Offline
#4 2017-02-20 00:08:58
- oliver
- Member
- Registered: 2007-12-12
- Posts: 448
Re: strange big hidden binary files in user dir
Try running strings?
# strings <file> | more
Offline
#5 2017-02-20 20:23:33
- Nektarios
- Member
- Registered: 2013-02-19
- Posts: 90
Re: strange big hidden binary files in user dir
Try running strings?
# strings <file> | more
Thanks, I did and I think I found what they are. They are definetely core dumps (CORE strings are the first in the output of strings). It seems that whatever application crashes and dumps core it gets dumped in my user dir in the format .[pid].
I have a feeling systemd is implicated in this somehow.
Offline
#6 2017-02-20 21:20:37
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,310
Re: strange big hidden binary files in user dir
I have a feeling systemd is implicated in this somehow.
That seems unlikely see Core_dump#Where_do_they_go and coredumpctl
Offline
#7 2017-02-20 22:04:40
- Nektarios
- Member
- Registered: 2013-02-19
- Posts: 90
Re: strange big hidden binary files in user dir
Nektarios wrote:I have a feeling systemd is implicated in this somehow.
That seems unlikely see Core_dump#Where_do_they_go and coredumpctl
You are right, I even had systemd core dumps disabled (with Storage=none in the conf). So something else is producing these. Anyway I deleted them and I'll take note next time I see one, maybe I'll catch it then. Thanks all.
Offline
#8 2017-02-20 22:20:04
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,333
- Website
Re: strange big hidden binary files in user dir
Too late now, but if they come back you can use gdb to get a lot more information - at very least what program they are coming from.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline