Unknown binary file named "0" in /usr/local/src/

Question

I was cleaning my server today and found a file in directory /usr/local/src/

File Attributes:
Name: 0
Size: 975MBs
Type: Binary (I tried to cat the file)
Location: /usr/local/src/

Permissions:

-rw-r--r--  1 root root 1005054631 Nov 19  2000 0

I also tried to check if that file is used by any of the process using

fuser 0

but that returned nothing.

I have not added this file manually. I don't know how that file was created in the server. Is the server infected or does Ubuntu write these kinds of files automatically?

How can I check how that file was created & what that file is doing there?

Tried binwalk command to check the file, Below is the output.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
168065817     0xA047B19       MySQL ISAM compressed data file Version 5
220920175     0xD2AF96F       IMG0 (VxWorks) header, size: 1088485285
304382083     0x12248083      MySQL ISAM index file Version 7
358147067     0x1558E3FB      MySQL ISAM index file Version 8
362565535     0x159C4F9F      MySQL ISAM compressed data file Version 2
487768270     0x1D12C0CE      COBALT boot rom data (Flat boot rom or file system)
529883861     0x1F9562D5      rzip compressed data - version 112.123 (-1629463256 bytes)
718008653     0x2ACBF14D      MySQL MISAM compressed data file Version 1
778034453     0x2E5FDD15      MySQL ISAM compressed data file Version 4
778229381     0x2E62D685      MySQL MISAM index file Version 10
784771028     0x2EC6A7D4      MySQL MISAM compressed data file Version 10

You have had that file since november 19th 2000? Generally that dir is empty so it could have been put there manually. — Rinzwind, Aug 24 '17 at 07:59
The command file 0 can be used to identify the file (based on it's contents). Using cat on a 975 MB file should have been funny... — pim, Aug 24 '17 at 08:05
@Rinzwind I don't know why the creation date of the file is November 19th, 2000. I have launched that Ubuntu instance on AWS 2 months ago. — Ankit Arora, Aug 24 '17 at 08:05
@pim Thanks for the command. Output of file is:
0: ISO Media — Ankit Arora, Aug 24 '17 at 08:07
The date is still strange, looks like a default file system date. Please do md5sum 0 then search the result in google, I bet on a linux install media iso. — pim, Aug 24 '17 at 08:11
@Rinzwind Tried mounting but it saying not able to mount this file format. — Ankit Arora, Sep 08 '17 at 11:19

Rinzwind · Answer 1 · 2017-08-24T09:12:22.543

0

Generally that directory is empty as it is used to install local sources of software: /usr/local/ is reserved for software installed locally by the sysadmin so we probably will not be able to tell you. You need to ask your sysadmin (and if that is you ... ).

I would assume it will be harmless to remove it.

od -c 0

will show the ASCII characters inside the file. Maybe the results from that can tell you what it is from.

edit on comments:

How about mounting the file as it seems to be an ISO.

sudo mkdir /media/0
sudo mount -o loop /usr/local/src/0 /media/0
cd /media/0
ls

and unmounting:

sudo umount /media/0

edited Aug 24 '17 at 09:12

answered Aug 24 '17 at 08:05

Rinzwind

299,756

I fired the command you have mentioned. Below is the output of first 6 lines:
0000000 \0 \0 \0 034 f t y p f 4 v \0 \0 \0 \0 0000020 i s o m m p 4 2 m 4 v \0 \0 \0 \b 0000040 w i d e ; 276 " 303 m d a t \0 \0 < $ 0000060 e 210 204 \0 032 377 354 377 302 U 377 330 366 D 242 277 0000100 377 337 | 271 353 s 253 J 177 362 I 362 371 l ? 334 0000120 360 223 311 036 . 233 306 ~ N 217 221 032 002 J \0 \0
– Ankit Arora Aug 24 '17 at 08:48
Mounting didn't work.
mount: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error
– Ankit Arora Aug 24 '17 at 09:46

Eliah Kagan · Answer 2 · 2017-08-24T13:26:26.583

Although it does not replace the file utility, you can often get more information about binary files with binwalk (which hildred has suggested elsewhere). This is especially useful for large archives and disk images.

Ubuntu doesn't come with the binwalk command installed so you'll have to install it:

sudo apt update
sudo apt install binwalk

Then run it on your file:

binwalk /usr/local/src/0

Or if you have already cd'd to the /usr/local/src directory you can just run:

binwalk 0

The binwalk command will often reveal enough to figure out what the file is. Sometimes the output is long and it can take a long time. You can interrupt it with Ctrl+C.

Occasionally it's not helpful and doesn't tell you anything at all. Sometimes you get more information from file than binwalk. But especially for files that serve as containers for other files, such as archives those that would ordinarily be named .tar, .zip, and .7z, packages that would be named .deb, .rpm, .msi, executable archives like .run files and even .exe files that install Windows programs, and disk images that you might expect to be named .iso, .img, or .dmg, you will usually get useful output.

binwalk accepts several command-line options to control its behavior. See man binwalk. For the most part you don't have to use them, though--just pass it the file you're interested in.

Another option specifically for ISO images, which is useful if you don't want to install binwalk or just to get another view of an ISO image, is the isoinfo utility.

isoinfo uses somewhat odd syntax--to read from a file (the other option is an optical drive) you need the -i flag, you must always pass a flag to specify what kind of information you want, and--unlike with most Unix commands--flags cannot be grouped together after the same -.

isoinfo -f -i filename and isoinfo -l -i filename list the files inside the ISO, either as a list of hierarchically organized filenames and metadata (-l, like ls -R) or as a list of full paths (-f, like find).
isoinfo -d -i filename shows metadata that applies to the whole ISO image, reading it from its primary volume descriptor.

There are other options, though you'll probably mainly use those two, especially when you're just trying to figure out what your ISO image is for and where it came from. For more information see man isoinfo.

Great, Took time but I got an easy readable output using binwalk. Few output lines:-
DECIMAL HEXADECIMAL DESCRIPTION

168065817 0xA047B19 MySQL ISAM compressed data file Version 5 220920175 0xD2AF96F IMG0 (VxWorks) header, size: 1088485285 304382083 0x12248083 MySQL ISAM index file Version 7 358147067 0x1558E3FB MySQL ISAM index file Version 8 362565535 0x159C4F9F MySQL ISAM compressed data file Version 2 — Ankit Arora, Aug 24 '17 at 11:45
@AnkitArora I'm glad binwalk helped. The output you've posted is both truncated and almost completely unreadable in a comment, though, so if you're still looking for help with this and you want to show the output of binwalk, I recommend editing your question to include it. — Eliah Kagan, Aug 24 '17 at 11:47
@AnkitArora Thanks for adding the output to your question. But can you add it as text? It's very hard to work with text posted as images, and people who might find your question by searching--either to answer it or to benefit from answers to it--won't be able to find it through search terms that appear only in text in an image. You can paste text from the terminal into your question, select it, and format it as code by pressing Ctrl+K or clicking the {} in the editing toolbar to make it readable. — Eliah Kagan, Aug 24 '17 at 13:29

Unknown binary file named "0" in /usr/local/src/

Tried binwalk command to check the file, Below is the output.

2 Answers2