1

On my CentOS 7 (64 bit) machine some strange directories are appearing in the root directory /

I can't work out what's causing it, if I delete them they slowly start to reappear.

Here is a sample:

drwxr-xr-x  2 root  root  4096 Apr 19 09:15 Y-8f9479b39a92bac7-0000000000
drwxr-xr-x  2 root  root  4096 Apr 15 08:20 Y-af72e17029b2d6c1-0000000000
drwxr-xr-x  2 root  root  4096 Apr 20 09:30 YAg*-f8fe9fbc16e2d7e3-0000000000
drwxr-xr-x  2 root  root  4096 Apr 20 20:15 y:-cd1a6f4e05353e19-0000000000
drwxr-xr-x  2 root  root  4096 Apr 27 15:45 Y-df78a7ff0627a98c-0000000000
drwxr-xr-x  2 root  root  4096 Apr 22 14:50 Y-e340633e382d2dfa-0000000000
drwxr-xr-x  2 root  root  4096 Apr 22 11:10 Y-f63ddb0510f522bd-0000000000
drwxr-xr-x  2 root  root  4096 Apr 23 12:25 Yg=B-d85f91f40842530a-0000000000
drwxr-xr-x  2 root  root  4096 Apr 28 04:25 y:N-d16c3206c12f5644-0000000000
drwxr-xr-x  2 root  root  4096 Apr 26 17:50 Y:p-05b9ee59a8e426da-0000000000
drwxr-xr-x  2 root  root  4096 Apr 22 19:20 yp-6131660bc56433f0-0000000000
drwxr-xr-x  2 root  root  4096 Apr 26 21:20 Yz-57ca695582281830-0000000000
drwxr-xr-x  2 root  root  4096 Apr 22 12:20 Z-056bc56238327542-0000000000
drwxr-xr-x  2 root  root  4096 Apr 22 17:05 Z-06d6559ea7d8d81e-0000000000
drwxr-xr-x  2 root  root  4096 Apr 15 09:15 z-078580c414cd831a-0000000000
drwxr-xr-x  2 root  root  4096 Apr 14 15:05 z-1c234db314fd3d4f-0000000000
drwxr-xr-x  2 root  root  4096 Apr 17 16:40 Z3-fb84f61e06366829-0000000000
drwxr-xr-x  2 root  root  4096 Apr 16 10:00 _Z-475f2f63ed961d9b-0000000000
drwxr-xr-x  2 root  root  4096 Apr 22 18:45 -Z-4d85b858dd07d49a-0000000000
drwxr-xr-x  2 root  root  4096 Apr 18 17:40 z-7549c367428e3062-0000000000

Edit: Is there a way to trap and log which process is writing these files?

cas
  • 1
  • 7
  • 119
  • 185
Aditya K
  • 1,950
  • 5
  • 18
  • 33
  • What's inside them? What does `fuser /Y-df78a7ff0627a98c-0000000000` return (pick the newest directory). Are there any processes running you don't recognise? Is the machine connected to the Internet? – EightBitTony Apr 28 '16 at 08:41
  • The directories are empty, there are no processes running I do not recognise. The machine is connected to the internet, it is acting as a gateway / firewall. I'm using firewalld. – Aditya K Apr 28 '16 at 08:45
  • I would disconnect it from the Internet while you investigate. Can you try the `fuser` or @linerd's `lsof` command. – EightBitTony Apr 28 '16 at 08:46
  • My guess would be a cron job using unquoted and/or incorrectly defined variable(s) to create a temporary working directory, and then not properly cleaning up after itself. Check any local (i.e. not part of a system package) scripts called from root's `crontab`, as well as`/etc/crontab` and `/etc/cron*/*` - especially any that run every 5 minutes. – cas Apr 28 '16 at 15:48
  • Maybe the cron job script has a simple mistake, like using `$tmp` rather than `$TMP` or `$TMPDIR`. – cas Apr 28 '16 at 15:55

2 Answers2

1

You can use lsof and grep to find out the process open these files

$ lsof | grep "Y.+0000000000"

linerd
  • 167
  • 2
  • 9
1

It looks to me like a cron job creating temporary working directories and then failing to clean up after itself properly.

To verify that, examine any local (i.e. not part of a system package) scripts called from root's crontab, as well as /etc/crontab and /etc/cron*/* - especially any that run every 5 minutes

My initial guess was that it would be a cron script using unquoted and/or incorrectly defined variable(s), but a (now deleted) response from you mentioned that it was HandBrakeCLI, installled from the negativo17 repo (http://negativo17.org/)

HandBrakeCLI does not do this on my system (version 1:0.10.5-dmo1 from the debian-multimedia repo), so it looks like a bug in your version of handbrake. You should report the bug to negativo17, or check to see if they have an updated/fixed version.

cas
  • 1
  • 7
  • 119
  • 185