# xt file in /

## trikmik

i found a file in "/" named "xt"

when reading with nano the file shows: ^B'  ^t  ^T^= P 1^O    | ^[

i searched the www for this file and could not find anything, does anyone know what the file does?

----------

## Hu

What is the output of od -tx1z -Ax /xt ; ls -l /xt?  What programs were active around the time that the file was written?

----------

## trikmik

I moved the xt file into a different directory and renamed the xt file, in effort to reproduce the file, without success.

So maybe the output of the command you suggested might be different.

```
# od -tx1z -Ax /xt ; ls -l /xt

000000 02 27 a7 fd 94 b4 d3 14 9f a5 50 ac 31 0f d9 a0  >.'........P.1...<

000010 b6 bd 7c fd 1b 0a                                >..|...<

000016

-rw-r--r-- 1 root root 22 Jan 22 01:59 /xt
```

At the time the file was created in ~amd64 xfce 17.0 profile:

Because of gcc upgrade:

```
emerge -e @world
```

Flashed seabios into the chromebook using:

```
# curl -L -O https://mrchromebox.tech/firmware-util.sh

# bash firmware-util.sh
```

Fixed clock skew:

```
# touch currtime

# find . -cnewer /currtime -exec touch {} \;
```

Used the wrong command to unpack stage3-amd64-20180116T214503Z.tar.xz

then deleted everything in / when installing Gentoo first time on this machine, and unpacked successfully after.

Running Qemu Gentoo Client in background which was doing "emerge -e @world"

Had WireShark running.

Beside the actions noted above i can not recall any other programs that were active around the time the file was written.

*edit* i also set static arp with help from this link https://forums.gentoo.org/viewtopic-t-1075010-highlight-.html

and switched back and forth from wpa_supplicant / nm-applet

----------

## bunder

have you ever used a hardened profile on this system?  that's the only "xt" reference i can think of off hand.

https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX

----------

## trikmik

 *bunder wrote:*   

> have you ever used a hardened profile on this system?  that's the only "xt" reference i can think of off hand.
> 
> https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX

 

I never used hardened profile on this system.

----------

## trikmik

i did had a power loss while doing emerge -e @world however i am not sure if that would cause xt file in /

also i had emerge --sync failure due to poor internet connection.

maybe the file was a left over from aborting the mrchromebox flash-utility download with curl?

Does the code of the xt file have an actual meaning or is it just random gibberish?

```
^B' ^t ^T^= P 1^O | ^[
```

I guess all i can do right now is speculate, because i have no known facts.

----------

## pjp

Anything in history? If you ever become root, what about root's history? At least in every multi-person admin place I've been, random files are often "root droppings." Things left behind and forgotten about or not noticed, such as unintended redirection of output.

----------

## krinn

or bad script that assume a variable is set when its not

echo "${MYBAD}"/xt

----------

## trikmik

pjp,

I just checked the root .bash_history and user .bash_history but could not find anything regarding the creation of the xt file.

krinn,

Is it possible that could happen during emerge -e @world?

I am sorry for this beginner question, however: Because i can not recall how the file got created in root, do i need to reinstall Gentoo for this reason?

i seen people say they only install Gentoo once on a machine, does that mean they never got infected? or does it mean there is no such thing as privacy on the internet?

Then again i can not state that the machine got compromised because of one single file that ended up in root, it might be just a bad script..

----------

## krinn

 *trikmik wrote:*   

> Is it possible that could happen during emerge -e @world?

 

No, else we would all have an /xt  :Wink: 

 *Quote:*   

> Because i can not recall how the file got created in root, do i need to reinstall Gentoo for this reason?

 

LOL, then you will re-install a lot, disk never forget, but your memory is not that perfect, or just you did a mistake and you weren't aware of consequence of that mistake, or a script has done that for you, and you are not checking / every 2s to see if some xt file appears.

All you could do is answer: the file date is 22 Jan 22 01:59 what were you doing by that time? (and that's here you'll see your memory is not perfect).

 *Quote:*   

> i seen people say they only install Gentoo once on a machine, does that mean they never got infected?

 

If your machine is not expose, and you take care of what you download and run, you can stay safe for years.

----------

