2

I have never seen this files in RedHat before.

/tmp/orbit-root
/tmp/ssh-KEskO14981/agent.14981
/tmp/keyring-OuVrZn/sock

What could it be?

shatzibtten
  • 45
  • 1
  • 4

1 Answers1

4
/tmp/orbit-root

If your computer gets its IP-address by DHCP, this is probably dhclient. Check with lsof -n | grep orbit as root.

/tmp/ssh-KEskO14981/agent.14981

Looks like the ssh-agent-process. This makes it possible to cache your passphrase when you attempt to do ssh-logins on servers using a key with passphrase, so you don't have to type it in every time.

/tmp/keyring-OuVrZn/sock

Looks like the gnome-keyring-daemon. This stores several credentials for you. This is the socket other applications talk through when they want to fetch credentials from it.

Kvisle
  • 4,113
  • 23
  • 25
  • Can the second file used by malware or rootkit? I have some suspicions about it. Because this file didn't exist there before. – shatzibtten Nov 07 '11 at 18:21
  • 1
    Probably not Malware - it's normal as long as someone is logged in to Gnome. Do you have an ssh-agent running (`ps aux | grep ssh-agent`)? Check if it has the files open with `lsof -n | grep ssh-agent` as root. My guess is that the agent.14981-file is the unix-socket the agent uses. Regardless, it's safe to kill it off - the only consequence is that ssh can't cache the passphrase of ssh-keys. (The ssh-agent may also run without Gnome, it just has to be started somehow) – Kvisle Nov 07 '11 at 18:40