/tmp full of tmp.X files

Adam Stevenson adamstevenson at gmail.com
Tue Sep 11 14:57:38 MDT 2012


Rootkit release. :)

On Tue, Sep 11, 2012 at 2:35 PM, Ryan Byrd <ryanbyrd at gmail.com> wrote:
> All-
>
> imagine there is a CentOS release 5.5  server where /tmp keeps getting
> filled up with zero length files. bijillions of them. watch:
>
> [root at server/]# mv /tmp /tmpold; mkdir /tmp; chmod 777 /tmp
> [root at server/]# ls /tmp
> [root at server/]# ls /tmp
> tmp.Ce2761  tmp.EZ2746  tmp.fI2847  tmp.pD2819  tmp.rg2791  tmp.ri2805
> tmp.tk2776  tmp.WX2833  tmp.yr2728  uploading_01878.jpg9X250p
> [root at server/]# ls /tmp
> tmp.Bv2989  tmp.ed2960  tmp.fI2847  tmp.JC2915  tmp.mB2930  tmp.pD2819
> tmp.ri2805  tmp.tk2776  tmp.yr2728  uploading_01879.jpgHXxLmh
> tmp.Ce2761  tmp.EZ2746  tmp.ip3017  tmp.jp3031  tmp.OE2975  tmp.rg2791
> tmp.Tg3003  tmp.WX2833  tmp.ZV2945
> [root at server/]# ls /tmp
> tmp.bK3474  tmp.dK3610  tmp.fI2847  tmp.hB3280  tmp.JC2915  tmp.lK4179
> tmp.MT3055  tmp.pD2819  tmp.rg2791  tmp.tf3308  tmp.vA3999  tmp.wR3085
> tmp.YQ3832
> tmp.Bv2989  tmp.DO3893  tmp.FQ3129  tmp.hi3386  tmp.jp3031  tmp.ll3100
> tmp.MT3640  tmp.pI4252  tmp.ri2805  tmp.Tg3003  tmp.vg4101  tmp.Wv4389
> tmp.yr2728
> tmp.bx3595  tmp.dV3252  tmp.FS3207  tmp.HN3428  tmp.JT3340  tmp.lV3371
> tmp.Mu3846  tmp.pi4453  tmp.Rp3979  tmp.tk2776  tmp.VP4554  tmp.WX2833
> tmp.Yu4132
> tmp.by3143  tmp.ed2960  tmp.fw4287  tmp.HU4526  tmp.Ju4317  tmp.mB2930
> tmp.nf4361  tmp.po3863  tmp.RQ4029  tmp.tp4498  tmp.vR4347  tmp.xD4540
> tmp.Yv3459
> tmp.Ce2761  tmp.Ef3237  tmp.ga3400  tmp.Ie3294  tmp.jx4266  tmp.Mc3683
> tmp.nI3937  tmp.PU3965  tmp.ru3157  tmp.UM3533  tmp.vV3775  tmp.XO3818
> tmp.yw3711
> tmp.Cf4512  tmp.En4224  tmp.gb3489  tmp.ie3442  tmp.Jy3355  tmp.Md3625
> tmp.Nq3878  tmp.pw4059  tmp.Rz4073  tmp.UM4210  tmp.Wj3908  tmp.XS4438
> tmp.zd3790
> tmp.Cg3760  tmp.Ew4044  tmp.GB4302  tmp.iO3923  tmp.kZ4404  tmp.MG3070
> tmp.nT3669  tmp.Qi3414  tmp.Su3575  tmp.Uu3561  tmp.wl4375  tmp.Xw3171
> tmp.zi3547
> tmp.cN3730  tmp.EZ2746  tmp.gm4087  tmp.ip3017  tmp.Lb3745  tmp.mi3504
> tmp.OE2975  tmp.Qz4164  tmp.sw3655  tmp.uY3804  tmp.wN3519  tmp.yo4014
> tmp.ZV2945
> tmp.dE3115  tmp.fd3222  tmp.gQ3325  tmp.Iu4115  tmp.lB3951  tmp.ML4238
> tmp.op4483  tmp.rb4195  tmp.sY3266  tmp.Uy4332  tmp.wo3192  tmp.yP3697
> tmp.zW4468
> [root at server/]# ls -alh /tmp/tmp.EZ2746
> -rw-r--r-- 1 root root 0 Sep 11 14:31 /tmp/tmp.EZ2746
>
> but when I do a lsof|grep /tmp, I don't see any process writing these tmp.X
> files.
>
> ideas on what is causing this?
>
> Ryan
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */


More information about the PLUG mailing list