About .felix

I have a curiosity: an application in 11.1 creates the hidden folder


Which application is the owner (the folder recreates itself with 0 KB) and what purpose has it. Thanks.

Ps. Tried to scan the repository but did not find any reference.

google finds evidence that “Felix is an advanced Algol like procedural
programming language with a strong functional subsystem.”

maybe you have a programming environment with it included…or some
program/application installed that uses it??

When it comes to chocolate, resistance is futile.
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

Does ‘cat’ create it’s own folder?

The command “cat”? No, apparently not. I would only think about two programms likely to use such a programming language: matlab (but it does not run and therefore it should not create the folder at login in kde. And luckybackup, but I have no evidence about what programme creates the .folder. Is there a logfile?

I’m awfully sorry, my reply should need some explanation: The latin word for “cat” is “felix felix”. That’s why so many cats are called felix. I should have made clear I was not giving a serious reply.

Running ‘strings * | grep felix’ on /usr/bin/ right now, see if that brings something. Nope. I guess, stakanov, you already did some tough googling yourself.

Since this machine was hacked badly only short time ago, since it will probably happen again, I am somehow very serious about what I am searching. A programming language able to do “spaghetti stacks” and collaborating with java… And still not finding any location of where it is located. Not good (at least for my feelings).
But nice try with humorism. Have these tendencies myself.

What do you mean by ‘seriously hacked’? Root access?
Did you check for weird, i.e. unknown, processes?
Did you check /tmp for executable files?

On 2010-10-17 18:36, stakanov wrote:
> I have a curiosity: an application in 11.1 creates the hidden folder
> Code:
> --------------------
> .felix
> --------------------
> Which application is the owner (the folder recreates itself with 0 KB)
> and what purpose has it. Thanks.

I knew I had read of a trick, and saved it, but could not find it. However, knowing the name of who
wrote it (Cristian Rodríguez from SUSE), I found it (06 Mar 2009).

Some one described “that the mode of /dev/null was changed to 600” in two computers with 11.1, by
some unknown entity. Cristian said:

try this:

auditctl -w /dev/null -p a

auditctl -e 1

and then watch the logs…
if auditctl is not found, when you execute it as root, install package


use “ausearch -f /dev/null” to get precise results of what is changing
permissions of /dev/null

The idea is that apparmour is designed to report (and block if asked) access by a program to a file.
That command will make AA log access to that file you do not know who creates.

-w path
Insert a watch for the file system object at
path. You cannot insert a watch to the top level
directory. This is prohibited by the kernel.
Wildcards are not supported either and will gen-
erate a warning. The way that watches work is by
tracking the inode internally. If you place a
watch on a file, its the same as using the -F
path option on a syscall rule. If you place a
watch on a directory, its the same as using the
-F dir option on a syscall rule. The -w form of
writing watches is for backwards compatibility
and the syscall based form is more expressive.
Unlike most syscall auditing rules, watches do
not impact performance based on the number of
rules sent to the kernel. The only valid options
when using a watch are the -p and -k. If you need
to anything fancy like audit a specific user
accessing a file, then use the syscall auditing
form with the path or dir fields. See the EXAM-
PLES section for an example of converting one
form to another.

-p [r|w|x|a]
Set permissions filter for a file system watch.
r=read, w=write, x=execute, a=attribute change.
These permissions are not the standard file per-
missions, but rather the kind of syscall that
would do this kind of thing. The read & write
syscalls are omitted from this set since they
would overwhelm the logs. But rather for reads or
writes, the open flags are looked at to see what
permission was requested.

-k key Set a filter key on an audit rule. The filter key
is an arbitrary string of text that can be up to
31 bytes long. It can uniquely identify the audit
records produced by a rule. Typical use is for
when you have several rules that together satisfy
a security requirement. The key value can be
searched on with ausearch so that no matter which
rule triggered the event, you can find its
results. The key can also be used on delete all
(-D) and list rules (-l) to select rules with a
specific key. You may have more than one key on a
rule if you want to be able to search logged
events in multiple ways or if you have an audispd
plugin that uses a key to aid its analysis.

-e [0…2]
Set enabled flag. When 0 is passed, this can be
used to temporarily disable auditing. When 1 is
passed as an argument, it will enable auditing.
To lock the audit configuration so that it can’t
be changed, pass a 2 as the argument. Locking the
configuration is intended to be the last command
in audit.rules for anyone wishing this feature to
be active. Any attempt to change the configura-
tion in this mode will be audited and denied. The
configuration can only be changed by rebooting
the machine.

Try this - I’m interested to learn if it works.

Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Thanks to Knurpht I found the solution:

# su -c updatedb

# locate felix

I feel happier now, matlab was one of the “suspects” I did hope on. I had searched manually, but did not find it. I knew felix was working as a java app doing “spaghetti programming”, something that did not reassure me, but one of the tips he send me was rightly:
install find locate and run the above commands.

@Carlos E. R.
Thank you indeed. I did run the command (in this case since the install is fresh after the hack, fortunately negative. But I will print your advice because I have the feeling it will serve me in the future. P.S. there IS some exploit allowing to take control over the system in 11.1 and to install code using physical access and an usb HDD. What they do use I do not know. But I can assure you that I did change my “open” behavior in this regards since I have seen what can happen.

Thank you a lot to both of you. I am putting a big “plus” in my personal agenda.
Let hope all goes well.

what about a how-to for noops on “all the tips and tricks to find out if the system might still be yours”. And since it would be for noops (I consider me not sufficiently prepared in networking, IP-ing and permissions, so count on me as “noop”) it should be really explicit. Just a suggestion “to whom it might concern”.

On 2010-10-18 20:36, stakanov wrote:

> @Carlos E. R.
> Thank you indeed. I did run the command (in this case since the install
> is fresh after the hack, fortunately negative.

Huh… Welcome, but you have to run those two commands, and then wait. Minutes or weeks, no way to
know - while you watch the audit log. There will be an entry in the log the moment something tries
to change the attributes of /dev/null - which means that in your case you have to adapt the commands
to your problem. As given, the comands will not help you, they have to be changed. That’s why I
posted excerpts from the manual.

Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Yeap. I will do so, but I will then take the time to study the manual and then I will find the time to find the log and then…I probably come to March with a fresh install. The problem is not that people like me do not have the will to read the manual. The problem is that one has no time and help from anybody to implement these features. Hold in mind that my profession does not comprise IT, that any acquirement is only personal, thus, time invested is to be counted as withdrawn from your profession / academical activity. This is actually the most noteworthy difference between users working in IT and so called “noops” - the opportunity cost.

So, while for a person who knows the matter it seams “straightforward”, for a user coming from outside (and against his expectations) in this area, it is not. These thematics are circular, and not much is done to give a centralized place with dedicated, easy to understand and readily employable advices.

So still, thank you again for pointing out the error I committed. If I would have had the information on /dev/null and 11.1 before…maybe I would have installed 11.2 (but would that have protected me in any way?). You see the problem is that knowledge and information in this regard are circular, the learning curve is steep.

Just to make you understand: who tells you that (a part of permissions) I do actually “understand” in depth what implications and functions have /dev/null and its permissions?

That is the reason why I would like to see a bit more effort in divulging these infos in a more “noop-straightforward way”.

In the meanwhile (once I have less pressure) I WILL read that manual (maybe printing it out since on a 12" screen this is not easy at all), and implement it - provided - I will be able at the end to understand what it says.

As you see IMO it is absolutely indicated to thank you for the info anyway, if not for other reasons, then for the advantage that now I know that I did not correctly understand your advice.

PS: This shows the importance of user groups. Where I live, there is only one LUG, it is mainly based on Ubuntu, you as a “lizard” are seen more as a curiosity and are first of all proposed to change distribution…people that have actually the necessary knowledge do not come to the meetings and are available if ever over the net (so that means no advantage of a LUG, at least IMHO) and the overall preparation of (for heavens sake, very passionated) people there is limited to be able to more or less “install correctly Linux” and to use the day by day software like OpenOffice. Tough, tough.
BTW: the same same situation I did find it now in three countries. Seems more a rule than the exception. :expressionless:

Never even hoped that it would be that simple. Great this matter is out of this world. I surely hope it’s over and done with now. Enjoy.

  • Knurpht wrote, On 10/17/2010 10:06 PM:
    > I’m awfully sorry, my reply should need some explanation: The latin
    > word for “cat” is “felix felix”.

That’s “felis”, “felix” is Latin for “lucky” :stuck_out_tongue: