strange files

To: Debian User Mailing List <debian-user@lists.debian.org>
Subject: strange files
From: Peter Lieverdink <debian-user@cafuego.net>
Date: Mon, 19 Sep 2005 15:23:49 +1000
Message-id: <[🔎] 1127107429.28919.52.camel@localhost.localdomain>

Hi all,

I came across something odd this morning on a Sarge production server I
manage remotely. The machine runs a self-compiled 2.6.12.2 kernel and I
keep it up to date with security fixes. (I run upgrades and
dist-upgrades when I get email from debian-security-announce).

The box is an HP/Compaq somethingorother server with the following
controller:

0000:04:03.0 RAID bus controller: Compaq Computer Corporation Smart
Array 64xx (rev 01). The filesystem is ext3 on 2x160GB hardware RAID1.
The box has 3 GB ECC RAM. None of the hardware reports any failure of
any kind.

The weird this is that there are six files in / that should not be
there. 'ls -l' gives me:

-rw-rw-rw-   1 root root    0 2005-08-17 23:08 ?
-rw-rw-rw-   1 root root    0 2005-08-18 23:08 ?
-rw-rw-rw-   1 root root    0 2005-09-06 23:13 ?
-rw-rw-rw-   1 root root    0 2005-08-17 23:08 ???
-rw-rw-rw-   1 root root    0 2005-08-18 23:08 ???
-rw-rw-rw-   1 root root    0 2005-09-06 23:13 ???

Not useful.

I wrote a little C app that runs readdir() on / and gives me all the
filenames as strings and a char[] cast into int. With an utf8 console I
get the filenames as a series of squares now, but what I find more
interesting is that when I print off the integer values of each of the
chars in the filenames, I get this:

dir='/', file='', char[] = -10,-73,-128
dir='/', file='?', char[] = -10,-73,-80,-110,25,8
dir='/', file='', char[] = -14,-73,-128
dir='/', file='򷰒', char[] = -14,-73,-80,-110,25,8
dir='/', file='', char[] = -16,-73,-128
dir='/', file='𷰒', char[] = -16,-73,-80,-110,25,8

... negative numbers? (The strings won't paste properly). 

I've forced fsck, which doesn't find anything out of the ordinary. I've
run chkrootkit, which finds nothing. I've checked the logs, which list a
few childish attempts at burglary via proftpd, but not anything I'm
going to lsoe sleep over, and nothing else of interest. I'm not saying
the box hasn't been compromised, but if it has, I'd like to find out HOW
before I do anything else.

I've just tried to create a file with the characters -10, -72, -80,
-110, 25, 8 as filename, and got a completely different result.

Does anyone have any suggestion as to what may be going on? I'm pretty
much at a loss.

- P.

Reply to:

Follow-Ups:
- Re: strange files
  - From: David Clymer <david@zettazebra.com>

Prev by Date: image viewer which supports auto-refresn and partial images?
Next by Date: Never to miss a great incest site in the Internet
Previous by thread: Re: image viewer which supports auto-refresn and partial images?
Next by thread: Re: strange files
Index(es):
- Date
- Thread