From: Frank Schaefer <frank.schafer@setuza.cz>
To: linux-kernel@vger.kernel.org
Subject: Re: Question about 'Hidden' Directories in ext2
Date: 03 Apr 2002 07:29:57 +0200 [thread overview]
Message-ID: <1017811798.250.0.camel@ADMIN> (raw)
In-Reply-To: <Pine.LNX.4.30.0204021704360.6590-100000@rtlab.med.cornell.edu>
On Wed, 2002-04-03 at 00:16, Calin A. Culianu wrote:
>
> Ok, so some hackers broke into one of our boxes and set up an ftp site.
> They monopolized over 70gb of hard drive space with warez and porn. We
> aren't really that upset about it, since we thought it was kind of funny.
> (Of course we don't like the idea that they are using out bandwidth and
> disk space, but we can easily remedy that).
>
> Anyway, the weird thing is they created 2 directories, both of which were
> strangely hidden. You can cd into them but you can't ls them. I
>
> /usr/lib/ypx and /usr/man/ypx were the two directories that contained both
> the ftp software and the ftp root. When you are in /usr/man and you do an
> ls, you don't see the ypx directory (same when you are in /usr/lib). The
> ls binary we got is right off the redhat cd so it shouldn't still be
> compromised by whatever rootkit was installed.
>
> My question is this: can the data structures in ext2fs be somehow hacked
> so a directory can't appear in a listing but can be otherwise located for
> a stat or a chdir? I should think no.. maybe we still haven't gotten rid
> of the rootkit...
Hi,
Andreas is right. If you're compromized, You should reinstall your
system.
We catched an atacker at work not long ago. They hadn't the time to
remove their cracking tools, so we were able to analyze them.
This led me to the conclusion not to use a standard distro ( amongst
other things ). The script they used analyzed which distro is in use,
and infected the apropriate places for all popular distributions.
Furtheron I wrote a module to bastillize the box, using exactly the
methods crackers are using ( an example is on phrack ). Oh ... yes, and
last but not least we modified some userspace progs and the kernel (
this task took me to this list ), and we have everything read-only ( tmp
and var on a fs mounted noexec,nosuid,nodev ).
Regards
Frank
BTW: Can anyone point me to a site on which I can find some info about
the usage ot the crypto patches?
next prev parent reply other threads:[~2002-04-03 5:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-02 22:16 Question about 'Hidden' Directories in ext2 Calin A. Culianu
2002-04-02 22:42 ` Andreas Dilger
2002-04-02 23:48 ` Erik Ljungström
2002-04-03 2:28 ` jw schultz
2002-04-03 5:29 ` Frank Schaefer [this message]
2002-04-03 10:53 ` Craig Knox
2002-04-13 16:58 ` Pablo Alcaraz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1017811798.250.0.camel@ADMIN \
--to=frank.schafer@setuza.cz \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox