Dev1 Galaxy Forum / [SOLVED] A folder with no name

Re: [SOLVED] A folder with no name

dummy@example.com (soren) — Tue, 19 Dec 2023 09:38:39 +0000

It was an empty environment variable set by the fff script because im using trash-cli i left it blank but with a space. In the script it calls mkdir -p $FFF_TRASH and i suppose if left empty with a space it creates the folder every time the script is run. Sorry for the noise, solved.

Re: [SOLVED] A folder with no name

dummy@example.com (soren) — Tue, 19 Dec 2023 09:03:33 +0000

I figured it out, ive recently been using this terminal file manager called fff and it is the cause somehow.
https://github.com/dylanaraps/fff
I deleted the directory and started fff up again and it creates it everytime, i only notice because i switch between fff and pcmanfm. Maybe fff needs this directory or maybe there is a bug in the script, ill have to investigate.

~ $ stat " "
  File:
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 254,0   Inode: 1049631     Links: 2
Access: (0755/drwxr-xr-x)  Uid: ( 1000/   soren)   Gid: ( 1000/   soren)
Access: 2023-12-19 18:56:58.967995613 +1000
Modify: 2023-12-19 18:56:58.967995613 +1000
Change: 2023-12-19 18:56:58.967995613 +1000
 Birth: 2023-12-19 18:56:58.967995613 +1000

Re: [SOLVED] A folder with no name

dummy@example.com (soren) — Tue, 19 Dec 2023 08:50:17 +0000

Thanks siva, ill have a look into those options, im hoping its nothing to do with malware.

aluma, its in the home folder. I deleted it and reboot today and same story. It has the same rights my user has for all files in home, that being unix file permission 755.

~ $ ls -bgiQu 
1049631 drwxr-xr-x 2 soren 4.0K Dec 19 18:38 " "

Re: [SOLVED] A folder with no name

dummy@example.com (aluma) — Tue, 19 Dec 2023 08:33:08 +0000

Can you find out specifically in which directory this folder appears and with what rights?
Thank you.

Re: [SOLVED] A folder with no name

dummy@example.com (siva) — Tue, 19 Dec 2023 07:38:47 +0000

Malware? Might be time for a fresh install/restore.

You could also use auditd to do some hunting. The output won't show you the Parent PID directly, but you could try to correlate it yourself.

~# apt install auditd
...
~# /sbin/auditctl -w / -p rw -k var-run-pids -S all

In your case, you could check for PATH events which follow folder-creation syscall events whose name contains some sequence of "20," the hex encoding for a space.

# Create a folder whose name is a space.
~$ mkdir ' '

# Start the hunt.
~$ grep -B 4 -A 5 'exe="/bin/mkdir"' /var/log/audit/audit.log
...
type=SYSCALL msg=audit(1702969127.472:12053): arch=c00000b7 syscall=34 success=yes exit=0 a0=ffffffffffffff9c a1=ffffc4ba4745 a2=1ff a3=ffffc4ba35c0 items=2 ppid=7307 pid=8072 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5 comm="mkdir" exe="/bin/mkdir" subj=unconfined key="var-run-pids"ARCH=aarch64 SYSCALL=mkdirat AUID="devuan" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=CWD msg=audit(1702969127.472:12053): cwd="/home/devuan/velociraptor"
type=PATH msg=audit(1702969127.472:12053): item=0 name="/home/devuan/velociraptor" inode=392843 dev=fe:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="devuan" OGID="devuan"
type=PATH msg=audit(1702969127.472:12053): item=1 name=20 inode=392733 dev=fe:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PROCTITLE msg=audit(1702969127.472:12053): proctitle=6D6B6469720020

Here, the pathname is name=20, which is a single space. The parent process ID of /bin/mkdir is 7303, which is bash on my system. You can use tree-generating tools like ps or htop to visually trace the PPID's parents or children.

You could also leverage something like Graylog, ELK/HELK, or Splunk free to make this easier. Still, this kind of thing would take some legwork, might not give you the results you want.

You could also check automated routines like cron/tab and maybe run an antivirus/antimalware.

[SOLVED] A folder with no name

dummy@example.com (soren) — Tue, 19 Dec 2023 03:17:52 +0000

A folder with no name has been appearing for the last week or so, i cant figure out why. Its just an empty directory and has no name just a few spaces for the folder name.

I delete it and reboot the next day and its back again. Just running stable Daedalus branch using sysvinit.

Must be some setting or program somewhere doing this, any ideas ?