Re: Question about 'Hidden' Directories in ext2

All of lore.kernel.org
 help / color / mirror / Atom feed

From: jw schultz <jw@pegasys.ws>
To: linux-kernel@vger.kernel.org
Subject: Re: Question about 'Hidden' Directories in ext2
Date: Tue, 2 Apr 2002 18:28:03 -0800	[thread overview]
Message-ID: <20020402182803.G19384@pegasys.ws> (raw)
In-Reply-To: <Pine.LNX.4.30.0204021704360.6590-100000@rtlab.med.cornell.edu>

On Tue, Apr 02, 2002 at 05:16:42PM -0500, Calin A. Culianu wrote:
> 
> Ok, so some hackers broke into one of our boxes and set up an ftp site.
> They monopolized over 70gb of hard drive space with warez and porn.  We
> aren't really that upset about it, since we thought it was kind of funny.
> (Of course we don't like the idea that they are using out bandwidth and
> disk space, but we can easily remedy that).
> 
> Anyway, the weird thing is they created 2 directories, both of which were
> strangely hidden.  You can cd into them but you can't ls them.  I
> 
> /usr/lib/ypx and /usr/man/ypx were the two directories that contained both
> the ftp software and the ftp root.  When you are in /usr/man and you do an
> ls, you don't see the ypx directory (same when you are in /usr/lib).  The
> ls binary we got is right off the redhat cd so it shouldn't still be
> compromised by whatever rootkit was installed.
> 
> My question is this: can the data structures in ext2fs be somehow hacked
> so a directory can't appear in a listing but can be otherwise located for
> a stat or a chdir?  I should think no.. maybe we still haven't gotten rid
> of the rootkit...
> 
> -Calin

It might be much simpler.  They may be playing with /etc/profile.
Check your shell aliases and the environment variable LS_OPTIONS.
A simple LS_OPTIONS="$LS_OPTIONS -I ypx" or
alias ls='ls --ignore=ypx' would have the effect you are
talking about.

-- 
________________________________________________________________
	J.W. Schultz            Pegasystems Technologies
	email address:		jw@pegasys.ws

		Remember Cernan and Schmitt

next prev parent reply	other threads:[~2002-04-03  2:29 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-04-02 22:16 Question about 'Hidden' Directories in ext2 Calin A. Culianu
2002-04-02 22:42 ` Andreas Dilger
2002-04-02 23:48 ` Erik Ljungström
2002-04-03  2:28 ` jw schultz [this message]
2002-04-03  5:29 ` Frank Schaefer
2002-04-03 10:53 ` Craig Knox
2002-04-13 16:58   ` Pablo Alcaraz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020402182803.G19384@pegasys.ws \
    --to=jw@pegasys.ws \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.