[SOLVED]Random files in home directory

varun · 2017-06-12 14:40:30

Hi all,

I am facing a new problem in my system, random files are being created and deleted instantaneously in my home directory and I am worried if it is a malware

>>moderator edit: Removed large image. Please read Code of conduct: Pasting pictures and code and screenshot posting rules. Thanks. --fsckd<<

Edit Sorry for embedding large image, here is link to screenshot: http://imgur.com/a/Mf6Df

As soon as I refresh the directory all these files are gone.

So I tried using inotify-tools

$ inotifywait --monitor --event CREATE --event DELETE  ~
Setting up watches.
Watches established.
/home/varun/ CREATE CuaNLp0Z
/home/varun/ CREATE S3SV6J
/home/varun/ DELETE S3SV6J
/home/varun/ CREATE 8xFhJf
/home/varun/ DELETE 8xFhJf
/home/varun/ CREATE CuyIw86h
/home/varun/ CREATE ztsvcU
/home/varun/ DELETE ztsvcU
/home/varun/ CREATE MWElvA
/home/varun/ DELETE MWElvA

Then to get name of process I used the following script

#!/bin/sh
inotifywait -m --event CREATE  --format '%w%f' ~ | \
  while read filename; do
    echo $filename;
    lsof $filename;
     done
  done

And even before lsof begins checking these files, they are deleted

$ ./inotify.sh
Setting up watches.
Watches established.
/home/varun/Cu8J5n1g
lsof: status error on /home/varun/Cu8J5n1g: No such file or directory
lsof 4.89
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
 [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.
/home/varun/rm2DGY
lsof: status error on /home/varun/rm2DGY: No such file or directory
lsof 4.89
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
 [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.
/home/varun/wankug
lsof: status error on /home/varun/wankug: No such file or directory
lsof 4.89
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
 [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.

I tried closing all programs (except gnome shell) but no luck.

Last edited by varun (2017-06-13 07:58:34)

seth · 2017-06-12 15:03:46

iotop should expose a process with heavy IO load, even top might have this on the top (unless it's a shell bomb or so) - otherwise you'll probably have to go for auditing: https://wiki.archlinux.org/index.php/Audit_framework

Als "closing all programs" - had a look at "ps aux" for strange processes?

Ropid · 2017-06-12 15:26:32

Check out the tool "fatrace". It prints process names together with file names, basically what your script was supposed to do. There's a package for it in the AUR.

drcouzelis · 2017-06-12 16:35:22

Did you install any software WITHOUT using pacman / AUR?

Can you please post your list of installed packages using "pacman -Qq" (and [ code ] tags)?

varun · 2017-06-12 16:46:49

Thank you for suggestions. Auditing seemed pretty lengthy so I will keep it for last

I got output of ftrace

sudo fatrace -f W 
convert(20874): RCWO /home/varun/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile
convert(20874): CWO /home/varun/qPd7RE (deleted)
convert(20874): CW /home/varun/qPd7RE (deleted)
convert(20874): CWO /home/varun/aAxUQ7 (deleted)
convert(20874): CW /home/varun/aAxUQ7 (deleted)
convert(21525): CWO /home/varun/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile
convert(21525): CW /home/varun/8TWRvX
convert(21525): CW /home/varun/8TWRvX
convert(21525): CW /home/varun/dUYJlB
convert(21525): CW /home/varun/dUYJlB
convert(22178): CWO /home/varun/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile
convert(22178): CW /home/varun/zqYXzi (deleted)
convert(22178): CW /home/varun/zqYXzi (deleted)
convert(22178): CW /home/varun/PF0qd7
convert(22178): CW /home/varun/PF0qd7 (deleted)
convert(22829): CWO /home/varun/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile
convert(22829): CWO /home/varun/oO2CUz (deleted)
convert(22829): CW /home/varun/oO2CUz (deleted)
convert(22829): CW /home/varun/jt89gz
convert(22829): CW /home/varun/jt89gz (deleted)
convert(23481): RCWO /home/varun/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile
convert(23481): CWO /home/varun/8oGTLX (deleted)
convert(23481): CW /home/varun/8oGTLX (deleted)
convert(23481): CWO /home/varun/1q97X7 (deleted)
convert(23481): CW /home/varun/1q97X7 (deleted)
convert(24137): RCWO /home/varun/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile
convert(24137): CW /home/varun/lalvIh
convert(24137): CW /home/varun/lalvIh
convert(24137): CW /home/varun/C8dmGC
convert(24137): CW /home/varun/C8dmGC

I couldn't find convert in system monitor, I will dig it.

Only such package was netbeans. Other software that I use without AUR are standalone tools - Eclipse, clion, android studio etc.

This is full list

a52dec
aalib
accountsservice
acl
acroread
adapta-gtk-theme
adwaita-icon-theme
alarm-clock-applet
alsa-lib
alsa-oss
alsa-plugins
android-tools
apache
apr
apr-util
arch-install-scripts
archlinux-keyring
aria2
aspell
at-spi2-atk
at-spi2-core
atk
atkmm
attr
autoconf
automake
avahi
babl
baobab
bash
bash-completion
bc
binutils
bison
blas
bleachbit
bluez
bluez-libs
bogofilter
boost
boost-libs
brltty
broadcom-wl-dkms
btrfs-progs
bzip2
c-ares
ca-certificates
ca-certificates-cacert
ca-certificates-mozilla
ca-certificates-utils
cabextract
cairo
cairomm
cantarell-fonts
caribou
cblas
cdparanoia
cdrtools
celt
celt0.5.1
cfitsio
cheese
chromaprint
chrome-gnome-shell-git
chromium
chromium-pepper-flash
cifs-utils
clang
clearlooks-phenix-gtk-theme-git
clementine
clonezilla
clucene
clutter
clutter-gst
clutter-gst2
clutter-gtk
cmake
codeblocks
cogl
colord
colord-gtk
composer
compositeproto
coreutils
cower
cracklib
crda
create_ap
crypto++
cryptsetup
ctags
ctemplate
cups-pk-helper
curl
customizepkg
damageproto
db
dbus
dbus-glib
dcadec
dconf
dconf-editor
deluge
desktop-file-utils
devhelp
device-mapper
dhclient
dhcpcd
dialog
diffutils
djvulibre
dkms
dnsmasq
dnssec-anchors
dosbox
dosfstools
dotconf
double-conversion
doxygen
drbl
e2fsprogs
eclipse-ecj
ecryptfs-utils
efibootmgr
efivar
elfutils
empathy
enca
enchant
eog
espeak
evince
evolution-data-server
exempi
exfat-utils
exiv2
expac
expat
expect
f2fs-tools
faac
faad2
fakeroot
farstream
fatrace
fbreader
ffmpeg
ffmpeg2.8
fftw
file
file-roller
filesystem
filezilla
findutils
firefox
fixesproto
flac
flashplugin
flex
fluidsynth
folks
fontconfig
fontforge
fontsproto
freeglut
freetype2
frei0r-plugins
fribidi
fuse-common
fuse2
gamin
gavl
gawk
gc
gcc-libs-multilib
gcc-multilib
gcc5
gconf
gcr
gd
gdal
gdb
gdb-common
gdbm
gdk-pixbuf2
gdm
gedit
gegl
gegl02
geoclue2
geocode-glib
geoip
geoip-database
geos
gettext
ghostscript
giflib
gimp
gimp-plugin-saveforweb
git
gjs
gksu
glew
glib-networking
glib2
glibc
glibmm
glu
gmime
gmp
gnome-autoar
gnome-backgrounds
gnome-bluetooth
gnome-calculator
gnome-color-manager
gnome-contacts
gnome-control-center
gnome-desktop
gnome-dictionary
gnome-disk-utility
gnome-font-viewer
gnome-icon-theme
gnome-icon-theme-symbolic
gnome-keyring
gnome-menus
gnome-music
gnome-online-accounts
gnome-screenshot
gnome-session
gnome-settings-daemon
gnome-shell
gnome-shell-extensions
gnome-shell-theme-nord
gnome-shell-themes-elegance-colors
gnome-system-log
gnome-system-monitor
gnome-terminal
gnome-themes-standard
gnome-tweak-tool
gnome-user-docs
gnome-user-share
gnome-video-effects
gnu-netcat
gnupg
gnutls
gobject-introspection-runtime
gom
gpart
gparted
gperf
gpgme
gpm
gptfdisk
graphene
graphite
graphviz
grep
grilo
grilo-plugins
groff
grub
gsettings-desktop-schemas
gsfonts
gsl
gsm
gspell
gst-libav
gst-plugins-bad
gst-plugins-base
gst-plugins-base-libs
gst-plugins-good
gstreamer
gtk-engine-murrine
gtk-engines
gtk-theme-arc-git
gtk-theme-evolve
gtk-update-icon-cache
gtk2
gtk3
gtk3-print-backends
gtkglext
gtkmm
gtkmm3
gtksourceview3
gtkspell
gtkspell3
gts
gucharmap
guile
guile1.8
guile2.0
gvfs
gvfs-mtp
gzip
harfbuzz
harfbuzz-icu
hdf5
hicolor-icon-theme
highlight
hostapd
hspell
http-parser
hunspell
hunspell-en
hunspell-en_GB
hunspell-en_US
hwids
hwloc
hyphen
iana-etc
icoutils
icu
ijs
ilmbase
imagemagick
imlib2
inetutils
iniparser
inkscape
inotify-tools
inputproto
intel-tbb
iproute2
iptables
iputils
iso-codes
iw
jack
jansson
jasper
java-commons-daemon
java-environment-common
java-jline
java-jsvc
java-rhino
java-runtime-common
jbig2dec
jdk
jemalloc
jfsutils
jmtpfs
jre8-openjdk-headless
js
js17
js38
json-c
json-glib
jsoncpp
kbd
kbproto
keyutils
kmod
krb5
ladspa
lame
lapack
lbzip2
lcms
lcms2
ldb
ldns
less
lib32-acl
lib32-alsa-lib
lib32-alsa-oss
lib32-alsa-plugins
lib32-atk
lib32-attr
lib32-bzip2
lib32-cairo
lib32-db
lib32-dbus
lib32-e2fsprogs
lib32-expat
lib32-flac
lib32-fontconfig
lib32-freetype2
lib32-gcc-libs
lib32-gdk-pixbuf2
lib32-gettext
lib32-giflib
lib32-glib2
lib32-glibc
lib32-glu
lib32-gmp
lib32-gnutls
lib32-gtk2
lib32-harfbuzz
lib32-icu
lib32-jack
lib32-json-c
lib32-keyutils
lib32-krb5
lib32-lcms2
lib32-libasyncns
lib32-libcap
lib32-libcups
lib32-libdatrie
lib32-libdrm
lib32-libelf
lib32-libffi
lib32-libgcrypt
lib32-libglvnd
lib32-libgpg-error
lib32-libice
lib32-libidn
lib32-libjpeg-turbo
lib32-libldap
lib32-libltdl
lib32-libmng
lib32-libnl
lib32-libogg
lib32-libpcap
lib32-libpciaccess
lib32-libpng
lib32-libpulse
lib32-libsamplerate
lib32-libsm
lib32-libsndfile
lib32-libtasn1
lib32-libthai
lib32-libtiff
lib32-libtxc_dxtn
lib32-libusb
lib32-libvorbis
lib32-libx11
lib32-libxau
lib32-libxcb
lib32-libxcomposite
lib32-libxcursor
lib32-libxdamage
lib32-libxdmcp
lib32-libxext
lib32-libxfixes
lib32-libxft
lib32-libxi
lib32-libxinerama
lib32-libxml2
lib32-libxrandr
lib32-libxrender
lib32-libxshmfence
lib32-libxslt
lib32-libxss
lib32-libxt
lib32-libxtst
lib32-libxv
lib32-libxxf86vm
lib32-llvm-libs
lib32-lm_sensors
lib32-mesa
lib32-mpg123
lib32-ncurses
lib32-nettle
lib32-openal
lib32-openssl
lib32-p11-kit
lib32-pango
lib32-pcre
lib32-pixman
lib32-readline
lib32-sdl
lib32-speex
lib32-speexdsp
lib32-sqlite
lib32-systemd
lib32-util-linux
lib32-v4l-utils
lib32-wayland
lib32-xz
lib32-zlib
libabw
libaio
libantlr3c
libao
libarchive
libass
libassuan
libasyncns
libatasmart
libatomic_ops
libavc1394
libbluray
libbsd
libburn
libcaca
libcacard
libcanberra
libcanberra-pulse
libcap
libcap-ng
libcdaudio
libcddb
libcdio
libcdio-paranoia
libcdr
libcgroup
libchamplain
libcmis
libcroco
libcryptui
libcue
libcups
libcurl-compat
libdaemon
libdatrie
libdc1394
libdca
libdmapsharing
libdrm
libdv
libdvbpsi
libdvdnav
libdvdread
libe-book
libebml
libechonest
libedit
libelf
libepoxy
libetonyek
libevdev
libevent
libexif
libexttextcat
libfbclient
libfdk-aac
libffi
libfilezilla
libfontenc
libfreexl
libgcrypt
libgdata
libgdiplus
libgdm
libgee
libgeotiff
libgit2
libgit2-glib
libgksu
libglade
libglvnd
libgme
libgnome-keyring
libgnomekbd
libgpg-error
libgpod
libgrss
libgsf
libgssglue
libgtop
libgudev
libgusb
libgweather
libgxps
libibus
libical
libice
libid3tag
libidn
libiec61883
libimobiledevice
libinput
libiodbc
libiptcdata
libisoburn
libisofs
libixion
libjpeg-turbo
libkate
libkeybinder2
libkeybinder3
libksba
liblangtag
liblastfm
libldap
liblqr
liblrdf
libmad
libmariadbclient
libmatroska
libmbim
libmcrypt
libmediaart
libmikmod
libmm-glib
libmms
libmng
libmnl
libmodplug
libmp4v2
libmpc
libmpcdec
libmpeg2
libmspub
libmtp
libmusicbrainz5
libmwaw
libmygpo-qt
libnautilus-extension
libndp
libnetfilter_conntrack
libnewt
libnfnetlink
libnfs
libnftnl
libnghttp2
libnice
libnl
libnm
libnm-glib
libnotify
liboauth
libodfgen
libofa
libogg
libomxil-bellagio
liborcus
libosinfo
libpagemaker
libpaper
libpcap
libpciaccess
libpeas
libpgm
libphonenumber
libpipeline
libplist
libpng
libproxy
libpsl
libpst
libpulse
libpwquality
libqmi
libquvi
libquvi-scripts
libraw1394
libreoffice-fresh
librevenge
librsvg
libsamplerate
libsasl
libsass
libseccomp
libsecret
libshout
libsidplay
libsigc++
libsigsegv
libsm
libsndfile
libsodium
libsoup
libsoxr
libspatialite
libspectre
libspiro
libsrtp
libssh
libssh2
libstemmer
libsynctex
libsystemd
libtar
libtasn1
libteam
libthai
libtheora
libtiff
libtiger
libtirpc
libtommath
libtool
libtorrent-rasterbar
libtracker-sparql
libtxc_dxtn
libunibreak
libunicodenames
libunique
libunistring
libunwind
libupnp
libusb
libusbmuxd
libutempter
libutil-linux
libuv
libva
libva-intel-driver
libvdpau
libvisio
libvisual
libvoikko
libvorbis
libvpx
libwacom
libwbclient
libwebp
libwmf
libwnck3
libwpd
libwpg
libwps
libx11
libx264
libx264-all
libxau
libxaw
libxcb
libxcomposite
libxcursor
libxdamage
libxdmcp
libxext
libxfixes
libxfont
libxfont2
libxft
libxi
libxinerama
libxkbcommon
libxkbcommon-x11
libxkbfile
libxkbui
libxklavier
libxml2
libxmu
libxpm
libxrandr
libxrender
libxres
libxshmfence
libxslt
libxss
libxt
libxtst
libxv
libxvmc
libxxf86vm
libyaml
libytnef
libzip
libzmf
licenses
linux
linux-api-headers
linux-firmware
linux-headers
linux-lts
linux-lts-headers
llvm-libs
lm_sensors
logrotate
lpsolve
lrzip
lsof
lua
lua52
lua52-bitop
lua52-expat
lua52-lpeg
lua52-luajson
lua52-socket
lvm2
lz4
lzo
lzop
m4
make
man-db
man-pages
mariadb
mariadb-clients
mcpp
mdadm
megamario
mesa
mesa-demos
mime-types
minizip
mjpegtools
mkinitcpio
mkinitcpio-busybox
mobile-broadband-provider-info
mod_dnssd
modemmanager
mono
mousetweaks
mozilla-common
mpfr
mpg123
mtdev
mtools
mutagen
mutter
mysql-connector-c++
mysql-python
mysql-workbench
nano
nautilus
nautilus-sendto
ncurses
neon
net-tools
netcdf
netctl
nettle
network-manager-applet
networkmanager
nilfs-utils
nm-connection-editor
nodejs
noto-fonts
npth
nspr
nss
ntfs-3g
numactl
numix-circle-icon-theme-git
numix-icon-theme-git
ocl-icd
oniguruma
openal
opencore-amr
opencv
openexr
openjpeg
openjpeg2
openmpi
openresolv
openssh
openssl
openssl-1.0
opus
orc
os-prober
osinfo-db
p11-kit
p7zip
pacaur
package-query
pacman
pacman-mirrorlist
pam
pambase
pango
pangomm
pangox-compat
paper-icon-theme-git
parallel
partclone
parted
partimage
patch
pavucontrol
pbzip2
pciutils
pcmciautils
pcre
pcre2
pcsclite
perl
perl-crypt-openssl-bignum
perl-crypt-openssl-random
perl-crypt-openssl-rsa
perl-crypt-ssleay
perl-digest-hmac
perl-digest-sha1
perl-encode-locale
perl-error
perl-file-basedir
perl-file-listing
perl-file-which
perl-html-parser
perl-html-tagset
perl-http-cookies
perl-http-daemon
perl-http-date
perl-http-message
perl-http-negotiate
perl-io-html
perl-io-socket-inet6
perl-io-socket-ssl
perl-ipc-system-simple
perl-libwww
perl-lwp-mediatypes
perl-lwp-protocol-https
perl-mail-dkim
perl-mail-spf
perl-mailtools
perl-mozilla-ca
perl-net-dns
perl-net-http
perl-net-ip
perl-net-ssleay
perl-netaddr-ip
perl-parse-yapp
perl-path-class
perl-socket6
perl-timedate
perl-try-tiny
perl-uri
perl-www-robotrules
php
php-apache
php-gd
php-mcrypt
php-tidy
phpmyadmin
phpstorm
phpstorm-jre
pigz
pinentry
pixman
pixz
pkg-config
pkgcacheclean
playonlinux
pm2ml
polkit
poppler
poppler-glib
popt
portaudio
postgresql-libs
potrace
powerpill
powertop
ppp
princexml
procps-ng
progsreiserfs
proj
protobuf
psmisc
pth
pulseaudio
pulseaudio-alsa
pulseaudio-bluetooth
pyalpm
pygobject-devel
pygobject2-devel
pygtk
pyqt4-common
python
python-appdirs
python-atspi
python-cairo
python-chardet
python-clint
python-dbus
python-dbus-common
python-docopt
python-fudge
python-gobject
python-idna
python-jedi
python-mutagen
python-packaging
python-pip
python-pyparsing
python-pyqt4
python-requests
python-setuptools
python-simplejson
python-sip
python-six
python-soundcloud-git
python-termcolor
python-urllib3
python-xdg
python2
python2-appdirs
python2-asn1crypto
python2-atspi
python2-attrs
python2-automat
python2-cairo
python2-cffi
python2-chardet
python2-click
python2-constantly
python2-crypto
python2-cryptography
python2-dbus
python2-ecdsa
python2-enum34
python2-gobject
python2-gobject2
python2-idna
python2-incremental
python2-ipaddress
python2-keybinder2
python2-notify
python2-numpy
python2-packaging
python2-paramiko
python2-pexpect
python2-pip
python2-ply
python2-psutil
python2-ptyprocess
python2-pyasn1
python2-pycparser
python2-pyopenssl
python2-pyparsing
python2-setuptools
python2-six
python2-twisted
python2-xdg
python2-zope-interface
python3-aur
python3-memoizedb
python3-threaded_servers
python3-xcgf
python3-xcpf
q7z
qca-qt4
qemu
qemu-arch-extra
qjson
qt4
qt5-base
randrproto
raptor
rarcrack
rasqal
rdesktop
re2
re2c
readline
recode
recordproto
redland
reflector
reiserfsprogs
renderproto
rest
rfkill
rhino
rsync
rtkit
rtmpdump
ruby
run-parts
s-nail
samba
sassc
sbc
schroedinger
screenruler
scrnsaverproto
sdl
sdl2
sdl_image
sdl_mixer
sdl_net
sdl_sound
sdl_ttf
seabios
sed
sg3_utils
shadow
shared-color-targets
shared-mime-info
sip
slack-desktop
slang
smbclient
smpeg
snappy
sound-theme-freedesktop
soundcloud-dl-git
soundtouch
spamassassin
spandsp
speech-dispatcher
speex
speexdsp
spice
sqlite
sqlitebrowser
sshfs
startup-notification
sudo
sushi
swig
sysfsutils
systemd
systemd-sysvcompat
t1lib
taglib
talloc
tar
tcl
tdb
telepathy-farstream
telepathy-glib
telepathy-logger
telepathy-mission-control
terminator
tevent
texinfo
texlive-bin
texlive-core
texlive-latexextra
thermald
thin-provisioning-tools
thunderbird
tidy
tinyxml
tomcat-native
tomcat8
totem
totem-plparser
tracker
transmission-qt
tslib
ttf-dejavu
ttf-droid
ttf-lcsmith-typewriter
ttf-ms-fonts
ttf-roboto
tzdata
udisks2
uget
unace
unixodbc
unrar
unrar-free
unzip
upower
usbmuxd
usbredir
usbutils
util-linux
v4l-utils
vala
valgrind
vde2
vertex-themes
vi
vid.stab
videoproto
vino
virglrenderer
vlc
vsqlite++
vte
vte-common
vte3
vulkan-icd-loader
wavpack
wayland
wayland-protocols
webkit2gtk
webkitgtk
webkitgtk2
webrtc-audio-processing
wget
which
wildmidi
wine
wine-mono
wine_gecko
winetricks-git
wireless-regdb
wpa_supplicant
wxgtk-common
wxgtk2
wxpython
x265
xapian-core
xbitmaps
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdg-user-dirs
xdg-user-dirs-gtk
xdg-utils
xextproto
xf86-input-evdev
xf86-input-libinput
xf86-video-intel
xf86vidmodeproto
xfsprogs
xine-lib
xineramaproto
xkeyboard-config
xorg-bdftopcf
xorg-font-util
xorg-font-utils
xorg-fonts-alias
xorg-fonts-encodings
xorg-fonts-misc
xorg-luit
xorg-mkfontdir
xorg-mkfontscale
xorg-server
xorg-server-common
xorg-server-xwayland
xorg-setxkbmap
xorg-xauth
xorg-xhost
xorg-xkbcomp
xorg-xrandr
xorg-xrdb
xorg-xset
xproto
xterm
xvidcore
xz
yajl
yaourt
yelp
yelp-xsl
youtube-dl
zeitgeist
zenity
zeromq
zip
zita-alsa-pcmi
zita-resampler
zlib
zukitwo-themes
zvbi
zziplib

loqs · 2017-06-12 16:58:19

convert belongs to imagemagick.

seth · 2017-06-12 16:59:01

convert belongs to imagemagick, so these are images.
you could move convert to convert.bin and replace it by a script

#!/bin/sh
convert.bin "$@"
sleep 30

To (hopefully) get you some time to look at that image and maybe see what it is related to.

loqs · 2017-06-12 17:01:51

@seth possibly add in logging what the parent process is as well to see what is starting imagemagick?
Edit:
Or the full path of the executable the PPID belongs.

Last edited by loqs (2017-06-12 17:03:19)

seth · 2017-06-12 17:10:12

Certainly worth a shot but expect $PPID to be a short-term shell (idk how fatrace works, but convert is not invoked using an absolute path...)

Edit:

cat /proc/$PPID/cmdline >> /tmp/lookwhosspammingme

Last edited by seth (2017-06-12 17:11:32)

varun · 2017-06-12 17:22:54

Thanks seth, I found the cultprit with pure luck,

$ pstree -sA $(pgrep badblocks) | grep "color"
        |-colord-+-{gdbus}
        |-elegance-colors---convert
        |     |                 |                 |                 |-gsd-color-+-{dconf worker}
        |     |                 |                 |                 |-gsd-color-+-{dconf worker}

while looking at ps tree, instead of convert I accidentally filtered color, and caught it.
killing elegance-colors solved it

Last edited by varun (2017-06-12 17:23:26)

seth · 2017-06-12 20:00:50

Cool, did you file a bug upstream (for one this behavior sounds wrong and also using $HOME instead of some tmpfs mount is prone to kill your disk)

Also please always tag a thread as [SOLVED] by editing your first post, once you're satisfied.

varun · 2017-06-13 08:07:33

Thanks for tip. I marked this topic solved. The aur package or repo haven't been updated since more than 2 years. So I flagged it out of date.

Last edited by varun (2017-06-13 08:08:47)

Arch Linux

#1 2017-06-12 14:40:30

[SOLVED]Random files in home directory

#2 2017-06-12 15:03:46

Re: [SOLVED]Random files in home directory

#3 2017-06-12 15:26:32

Re: [SOLVED]Random files in home directory

#4 2017-06-12 16:35:22

Re: [SOLVED]Random files in home directory

#5 2017-06-12 16:46:49

Re: [SOLVED]Random files in home directory

#6 2017-06-12 16:58:19

Re: [SOLVED]Random files in home directory

#7 2017-06-12 16:59:01

Re: [SOLVED]Random files in home directory

#8 2017-06-12 17:01:51

Re: [SOLVED]Random files in home directory

#9 2017-06-12 17:10:12

Re: [SOLVED]Random files in home directory

#10 2017-06-12 17:22:54

Re: [SOLVED]Random files in home directory

#11 2017-06-12 20:00:50

Re: [SOLVED]Random files in home directory

#12 2017-06-13 08:07:33

Re: [SOLVED]Random files in home directory

Board footer