Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I discovered a directory under /tmp called mcop-chuck, and in the directory, I found a file called secret-cookie. The directory and file were only there for one user. What is this? Who put it there?
In the same /tmp directory, I noticed directories called orbit-<user>. In these directories, there is an executable file called bonobo-activation-register.lock, along with a number of files that appear to be linked somewhere (How can I trace the link?) with names that all start with linc, for example linc-144a-0-58129fc24f9a9. When I run netstat -an I get a lot of CONNECTED to that particular directory. What does all of this mean?
Also, is there a quick and dirty way to close all internet ports?
I could really use some help here. What is this "secret-cookie" thing, and how did it get there? It's making me a little paranoid.
Would changing permissions on the subdirectories in /tmp be advisable? I can't see any reason why any other user besides myself would need permission to read, write, or execute in any of the directories with my name on them. Even then, though, somebody could probably slip something in there through a bit of software/server running on my behalf, couldn't they?
Would removing the entire contents of the /tmp directory mess anything up? I've just got a hunch that something nasty is lurking in there.
Also, as a general matter, I would really like to be able to know how to trace a link -- I can see that certain files are linked, but it's driving me nuts trying to figure out what they're linked to.
These are standard files used for authentication and are completely normal as are the orbit files (probably Gnome subprocess). The netstat results you are seeing are likely the Unix domain sockets used by XFree86 (the xserver) for local communication and are not the same thing as standard IP sockets that would be used to connect over the internet. Do netstat -pantu to see the IP sockets instead.
Changing /tmp permissions will probably break alot of stuff. Alot of applications that run unpriviledged will need to be able to write to tmp in order to function.
I searched around google a little about that but didn't find anything definitive.
I saw links that had a mcop-murty and an mcop-brandan with secret-cookies, but no discussion about the secret cookie. It doesn't appear to be a 'bad thing', but I would be concerned also if they were on my machine.
I searched on my SlackWare machine and I don't have an mcop-somename or a file named 'secret-cookie'.
I do have directories /tmp/mc-bs and a /tmp/orbit-bs, but they are both empty.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.