LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   secret cookie? (https://www.linuxquestions.org/questions/linux-security-4/secret-cookie-227340/)

Chuck23 09-06-2004 12:45 PM
secret cookie?
 
I discovered a directory under /tmp called mcop-chuck, and in the directory, I found a file called secret-cookie. The directory and file were only there for one user. What is this? Who put it there?

In the same /tmp directory, I noticed directories called orbit-<user>. In these directories, there is an executable file called bonobo-activation-register.lock, along with a number of files that appear to be linked somewhere (How can I trace the link?) with names that all start with linc, for example linc-144a-0-58129fc24f9a9. When I run netstat -an I get a lot of CONNECTED to that particular directory. What does all of this mean?

Also, is there a quick and dirty way to close all internet ports?

Thanks.

Chuck23 09-06-2004 03:40 PM
I could really use some help here. What is this "secret-cookie" thing, and how did it get there? It's making me a little paranoid.

Would changing permissions on the subdirectories in /tmp be advisable? I can't see any reason why any other user besides myself would need permission to read, write, or execute in any of the directories with my name on them. Even then, though, somebody could probably slip something in there through a bit of software/server running on my behalf, couldn't they?

Would removing the entire contents of the /tmp directory mess anything up? I've just got a hunch that something nasty is lurking in there.

Also, as a general matter, I would really like to be able to know how to trace a link -- I can see that certain files are linked, but it's driving me nuts trying to figure out what they're linked to.

Thanks again.

Capt_Caveman 09-06-2004 04:09 PM
http://www.arts-project.org/doc/hand...-security.html

These are standard files used for authentication and are completely normal as are the orbit files (probably Gnome subprocess). The netstat results you are seeing are likely the Unix domain sockets used by XFree86 (the xserver) for local communication and are not the same thing as standard IP sockets that would be used to connect over the internet. Do netstat -pantu to see the IP sockets instead.

Changing /tmp permissions will probably break alot of stuff. Alot of applications that run unpriviledged will need to be able to write to tmp in order to function.

itsjustme 09-06-2004 04:11 PM
I searched around google a little about that but didn't find anything definitive.
I saw links that had a mcop-murty and an mcop-brandan with secret-cookies, but no discussion about the secret cookie. It doesn't appear to be a 'bad thing', but I would be concerned also if they were on my machine.

I searched on my SlackWare machine and I don't have an mcop-somename or a file named 'secret-cookie'.
I do have directories /tmp/mc-bs and a /tmp/orbit-bs, but they are both empty.

Capt_Caveman 09-06-2004 04:11 PM
Also, is there a quick and dirty way to close all internet ports?
Aside from unplugging it from the internet ;) You can do:

iptables -I INPUT -j DROP

or to completely cutoff network access:

service network stop

Chuck23 09-06-2004 08:00 PM
Very helpful -- thanks. Just one last thing: How can I see where a link leads?

Capt_Caveman 09-06-2004 09:41 PM
ls -al should do the trick.


All times are GMT -5. The time now is 07:15 AM.