What is this hidden directory doing on my Desktop?

5

On my Mac I just encountered a hidden directory on my desktop. I don't recall putting it there.

When I type ls -la in Terminal on the desktop I get the following:

enter image description here

The last folder is what triggered my attention. It is also highlighted. When I cd into that directory and type ls -la I see:

total 16
drwxrwxrwx@  4 user  staff  136 Oct 18  2012 .
drwx---rwx  17 user  staff  578 Dec 17 15:03 ..
-rw-rw-rw-@  1 user  staff  231 Jan 16  2013 6VR16NQEUJ456542VDR66LS7
-rw-rw-rw-@  1 user  staff  226 May  8  2013 K7wuT15oKsg=

The 6VR... file can be opened in Sublime Text as a Hex file, the other shows up empty. What is this folder doing on my desktop? Googling the exact name does not give any results.

Saaru Lindestøkke

Posted 2013-12-17T14:07:27.550

Reputation: 1 275

The green highlighting is just a way of showing that the rights are set to 777 (drwxrwxrwx). I don't know of a "sticky" type of file or folder. – SPRBRN – 2013-12-17T14:56:08.597

That is very well possible. I googled this highlighting and stumbled on the sticky term. Might have misunderstood that. – Saaru Lindestøkke – 2013-12-17T14:57:35.480

Answers

3

When a file or folder is highlighted, it means that file has the read, write, and execute permissions set for Owner, Group, and Other (chmod 777). The folder is not a "sticky" folder.

For Mac OSX a sticky bit is designated in the "EXECUTE" (x) bit within the file or directory properties.

For example:

drwtrwxrwx

Breaking down the above line:

d = directory

rwt = The OWNER of the file has read, write, and is the only one who has permissions to delete this file (oh and execute)

rwx = Any user part of the GROUP "staff" which you kindly displayed above in your example has the power to read, write, and execute.

the last rwx = anyone not part of the group staff and not an owner has the right to read, write, and execute.

That directory could've been created possibly by a program, someone hijacking your machine, etc. There could be any number of reasons that was placed there.

I'd advise deleting it and if you'd like perform a scan on your machine.

Check to see if your machine has any ports open for listening using netstat -antp in terminal.

falconspy

Posted 2013-12-17T14:07:27.550

Reputation: 592

Deleted it (I have a Timemachine backup just in case), ran a scan with ClamXav (clean) and found 8 listening ports. 6 of them I could trace down to legitimate processes (Dropbox, some plugin listening for uploads, etc...) Two other ports 127.0.0.1.631 and ::1.631 (are these the same only for IPv4/v6?) did not show anything when used with losf -i :portnumber – Saaru Lindestøkke – 2013-12-17T16:43:04.927

Should be fine then. It was most likely a program you previously installed and ran that created the directory. – falconspy – 2013-12-17T16:54:13.730

0

The first one . is the hidden folder filesystems use to identify the current directory (remember that the way to run a script in your current working directory is ./blah).

The second could have gotten there any number of ways, some of them malicious. Run a scan on your machine, but don't delete it right away because it might have been put there by a legitimate program.

Yitzchak

Posted 2013-12-17T14:07:27.550

Reputation: 4 084

Asked: 2013-12-17T14:07:27.550

Viewed: 214 times

Active: 2014-10-16T15:23:43.020