strange files on irix - SGI

This is a discussion on strange files on irix - SGI ; Any clue about these files -rw-r--r-- 1 root sys 836 Jan 8 1970 /usr/bin/cfgea -rw-r--r-- 1 root sys 780 Jan 1 1970 /usr/bin/eadp -rw-r--r-- 1 root sys 1736 Jan 23 1970 /usr/etc/dpeta ? Apparently no packages owns them. -- wave++ ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: strange files on irix

  1. strange files on irix

    Any clue about these files

    -rw-r--r-- 1 root sys 836 Jan 8 1970 /usr/bin/cfgea
    -rw-r--r-- 1 root sys 780 Jan 1 1970 /usr/bin/eadp
    -rw-r--r-- 1 root sys 1736 Jan 23 1970 /usr/etc/dpeta

    ?

    Apparently no packages owns them.

    --
    wave++ (also known, in some places, as "Yuri D'Elia") http://www.yuv.info/
    The email address is fake (thanks swen)! You know how to contact me anyway.

  2. Re: strange files on irix

    In article ,
    wave++ wrote:
    :Any clue about these files

    : -rw-r--r-- 1 root sys 836 Jan 8 1970 /usr/bin/cfgea
    : -rw-r--r-- 1 root sys 780 Jan 1 1970 /usr/bin/eadp
    : -rw-r--r-- 1 root sys 1736 Jan 23 1970 /usr/etc/dpeta

    :Apparently no packages owns them.

    Not part of any IRIX 6.5 package that I have loaded. Based on the size,
    I'd say they are likely scripts
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey

  3. Re: strange files on irix

    In article , Walter Roberson wrote:
    >:Any clue about these files
    >
    >: -rw-r--r-- 1 root sys 836 Jan 8 1970 /usr/bin/cfgea
    >: -rw-r--r-- 1 root sys 780 Jan 1 1970 /usr/bin/eadp
    >: -rw-r--r-- 1 root sys 1736 Jan 23 1970 /usr/etc/dpeta
    >
    >:Apparently no packages owns them.
    >
    > Not part of any IRIX 6.5 package that I have loaded. Based on the size,
    > I'd say they are likely scripts


    Nope.

    % file /usr/etc/dpeta
    /usr/etc/dpeta: text with garbage

    % xxd /usr/etc/dpeta|head -20
    0000000: 0000 5f00 0000 32e6 0000 3f3d 0000 61da .._...2...?=..a.
    0000010: 0000 314a 0000 4911 0000 7ff3 0000 7c03 ..1J..I.......|.
    0000020: 0000 14ac 0000 6129 0000 6e59 0000 0834 ......a)..nY...4
    0000030: 0000 0ae0 0000 4748 0000 30ac 0000 3014 ......GH..0...0.
    0000040: 0000 1429 0000 3567 0000 61ed 0000 478d ...)..5g..a...G.
    0000050: 0000 70fb 0000 319b 0000 796f 0000 0b6f ..p...1...yo...o
    0000060: 0000 526b 0000 1412 0000 1f21 0000 2dc4 ..Rk.......!..-.
    0000070: 0000 2555 0000 70cd 0000 789c 0000 4bf1 ..%U..p...x...K.
    0000080: 0000 644f 0000 611b 0000 3aeb 0000 2a91 ..dO..a...:...*.
    0000090: 0000 1c51 0000 68d9 0000 0d1e 0000 5311 ...Q..h.......S.
    00000a0: 0000 1020 0000 736b 0000 078d 0000 6f0b ... ..sk......o.
    00000b0: 0000 267f 0000 2478 0000 5bed 0000 7d64 ..&...$x..[...}d
    00000c0: 0000 0f15 0000 7869 0000 7214 0000 3d24 ......xi..r...=$
    00000d0: 0000 4a1d 0000 70a1 0000 058c 0000 6a18 ..J...p.......j.
    00000e0: 0000 7ed0 0000 477a 0000 0fd9 0000 2729 ..~...Gz......')
    00000f0: 0000 4c92 0000 6802 0000 0b8a 0000 327b ..L...h.......2{
    0000100: 0000 02de 0000 257a 0000 5c02 0000 3f45 ......%z..\...?E
    0000110: 0000 6bf3 0000 6e8a 0000 6604 0000 1173 ..k...n...f....s
    0000120: 0000 163c 0000 7846 0000 2500 0000 36fd ...<..xF..%...6.

    Seems like a data file...

    --
    wave++ (also known, in some places, as "Yuri D'Elia") http://www.yuv.info/
    The email address is fake (thanks swen)! You know how to contact me anyway.

  4. Re: strange files on irix

    Dans article ,
    wavexx@oblio.yuv.info disait...
    >
    > Nope.
    >
    > % file /usr/etc/dpeta
    > /usr/etc/dpeta: text with garbage
    >


    Rootkit, perhaps?

    --
    Quis, quid, ubi, quibus auxiliis, cur, quomodo, quando?

  5. Re: strange files on irix

    >
    > : -rw-r--r-- 1 root sys 836 Jan 8 1970 /usr/bin/cfgea
    > : -rw-r--r-- 1 root sys 780 Jan 1 1970 /usr/bin/eadp
    > : -rw-r--r-- 1 root sys 1736 Jan 23 1970 /usr/etc/dpeta
    >
    > :Apparently no packages owns them.
    >
    > Not part of any IRIX 6.5 package that I have loaded. Based on the size,
    > I'd say they are likely scripts


    hrmm.. seems I have these also..

    -rw-r--r-- 1 root sys 1148 Jan 8 1970 /usr/bin/cfgea
    -rw-r--r-- 1 root sys 1888 Dec 31 1969 /usr/bin/eadp
    -rw-r--r-- 1 root sys 400 Jan 23 1970 /usr/etc/dpeta

    dunno what these are from ..


  6. Re: strange files on irix

    In article <3F89D4E8.A6D76EEB@comcast.net>, mike wrote:
    >> Not part of any IRIX 6.5 package that I have loaded. Based on the size,
    >> I'd say they are likely scripts

    >
    > hrmm.. seems I have these also..
    >
    > -rw-r--r-- 1 root sys 1148 Jan 8 1970 /usr/bin/cfgea
    > -rw-r--r-- 1 root sys 1888 Dec 31 1969 /usr/bin/eadp
    > -rw-r--r-- 1 root sys 400 Jan 23 1970 /usr/etc/dpeta
    >
    > dunno what these are from ..


    I installed/removed a lot of programs so far from IRIX cds, even some
    demos from the companion CDs. Maybe some uninstallation script forgot to
    remove them?

    --
    wave++ (also known, in some places, as "Yuri D'Elia") http://www.yuv.info/
    The email address is fake (thanks swen)! You know how to contact me anyway.

  7. Re: strange files on irix

    Emmanuel Florac wrote:

    > Dans article ,
    > wavexx@oblio.yuv.info disait...
    >
    >>Nope.
    >>
    >>% file /usr/etc/dpeta
    >>/usr/etc/dpeta: text with garbage
    >>

    >
    >
    > Rootkit, perhaps?
    >

    Based on the time stamps I would also think the files are a result of an
    attack. Check your /etc/passwd for accounts you did not add yourself.
    /John


  8. Re: strange files on irix

    John Damm Sørensen wrote:
    > Emmanuel Florac wrote:
    >
    >> Dans article ,
    >> wavexx@oblio.yuv.info disait...
    >>
    >>> Nope.
    >>>
    >>> % file /usr/etc/dpeta /usr/etc/dpeta: text with garbage
    >>>

    >>
    >>
    >> Rootkit, perhaps?
    >>

    > Based on the time stamps I would also think the files are a result of an
    > attack. Check your /etc/passwd for accounts you did not add yourself.
    > /John
    >


    I have the same files on one of my SGI boxes but not the other. The
    stat command shows me that the files all are similar:

    cfgea:
    inode 4229524; dev 126; links 1; size 1824
    regular; mode is rw-r--r--; uid 0 (root); gid 0 (sys)
    projid 0 st_fstype: xfs
    change time - Wed Aug 14 11:49:41 2002 <1029343781>
    access time - Mon Oct 13 15:47:11 2003 <1066078031>
    modify time - Thu Jan 8 06:00:00 1970 <648000>

    Looking back in /var/inst/INSTLOG I see I upgraded to 6.5.17f and
    installed/upgraded some freeware on August 14, 2002. Still not a clue
    what those files are though.

    (The INSTLOG came from the machine without the files, the other INSTLOG
    appears to start later, does inst automatically prune that file when it
    gets too large?)

    Jeff Long


  9. Re: strange files on irix

    Jeff Long wrote:
    > John Damm Sørensen wrote:
    >> Emmanuel Florac wrote:
    >>> Dans article ,
    >>>
    >>>> Nope.
    >>>>
    >>>> % file /usr/etc/dpeta /usr/etc/dpeta: text with garbage
    >>>
    >>> Rootkit, perhaps?
    >>>

    >> Based on the time stamps I would also think the files are a result of an
    >> attack. Check your /etc/passwd for accounts you did not add yourself.
    >> /John

    >
    > I have the same files on one of my SGI boxes but not the other. The
    > stat command shows me that the files all are similar:
    >
    > cfgea:
    > inode 4229524; dev 126; links 1; size 1824
    > regular; mode is rw-r--r--; uid 0 (root); gid 0 (sys)
    > projid 0 st_fstype: xfs
    > change time - Wed Aug 14 11:49:41 2002 <1029343781>
    > access time - Mon Oct 13 15:47:11 2003 <1066078031>
    > modify time - Thu Jan 8 06:00:00 1970 <648000>


    Well, I didn't know what these were either. However, I noticed that I
    had a line in my SYSLOG matching the exact date and time of the change
    time for cfgea. It turns out that these files are created by tfxd (the
    Teleffect daemon).

    You can test this by stopping tfxd (/etc/init.d/tfxd stop), renaming
    the files, and then restarting txfd. The files will return.

    And to make sure you can run par on tfxd, and you'll see that it does
    in fact check for the existence of these files and creates them if they
    don't exist.

    (Yet, another reason why tfxd should've been chkconfig'ed off by
    default... but what do I know, I'm only a lowly engineer...

    Ivan
    --
    Ivan Rayner
    ivanr@sgi.com

  10. Re: strange files on irix

    On 2003-10-13, Ivan Rayner wrote:
    > Well, I didn't know what these were either. However, I noticed that I
    > had a line in my SYSLOG matching the exact date and time of the change
    > time for cfgea. It turns out that these files are created by tfxd (the
    > Teleffect daemon).


    ....

    > You can test this by stopping tfxd (/etc/init.d/tfxd stop), renaming
    > the files, and then restarting txfd. The files will return.

    <...>
    > (Yet, another reason why tfxd should've been chkconfig'ed off by
    > default... but what do I know, I'm only a lowly engineer...


    removed teleffect a long time ago.
    I would expect them in /usr/{lib,share} anyway, surely NOT in bin.

    --
    wave++ (also known, in some places, as "Yuri D'Elia") http://www.yuv.info/
    The email address is fake (thanks swen)! You know how to contact me anyway.

  11. Re: strange files on irix

    In article ,
    wave++ wrote:
    > Any clue about these files
    >
    > -rw-r--r-- 1 root sys 836 Jan 8 1970 /usr/bin/cfgea
    > -rw-r--r-- 1 root sys 780 Jan 1 1970 /usr/bin/eadp
    > -rw-r--r-- 1 root sys 1736 Jan 23 1970 /usr/etc/dpeta
    >
    > ?
    >
    > Apparently no packages owns them.
    >


    They are garbage files created by the teleffect daemon (txfd).
    I don't know what they are for. I also know of /etc/config/cesag.

    SGI bug #870992 (teleffect drops garbage files)

    Joe
    --
    ------------------------------------------------------------------------
    Joseph Michaud SGI Applications Eng jmichaud@sgi.com
    vmail: 650-933-9455 office: 781-839-2100

  12. Re: strange files on irix

    You can do a version long |grep to see if they are part of any inst
    package.


    "wave++" wrote in message
    news:slrnbonci9.3lt.wavexx@hydra.ubi.intra...
    > On 2003-10-13, Ivan Rayner wrote:
    > > Well, I didn't know what these were either. However, I noticed that I
    > > had a line in my SYSLOG matching the exact date and time of the change
    > > time for cfgea. It turns out that these files are created by tfxd (the
    > > Teleffect daemon).

    >
    > ...
    >
    > > You can test this by stopping tfxd (/etc/init.d/tfxd stop), renaming
    > > the files, and then restarting txfd. The files will return.

    > <...>
    > > (Yet, another reason why tfxd should've been chkconfig'ed off by
    > > default... but what do I know, I'm only a lowly engineer...

    >
    > removed teleffect a long time ago.
    > I would expect them in /usr/{lib,share} anyway, surely NOT in bin.
    >
    > --
    > wave++ (also known, in some places, as "Yuri D'Elia") http://www.yuv.info/
    > The email address is fake (thanks swen)! You know how to contact me

    anyway.



+ Reply to Thread