Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 3 Apr 2002 05:44:05 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 3 Apr 2002 05:43:55 -0500 Received: from monster.gotadsl.co.uk ([213.208.127.236]:62087 "EHLO monster.gotadsl.co.uk") by vger.kernel.org with ESMTP id ; Wed, 3 Apr 2002 05:43:39 -0500 Subject: Re: Question about 'Hidden' Directories in ext2 From: Craig Knox To: "Calin A. Culianu" Cc: linux-kernel@vger.kernel.org In-Reply-To: Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: 03 Apr 2002 11:53:59 +0100 Mime-Version: 1.0 X-Scanner: VirusScanner *16siBr-0005YD-00*oGYy.1w6HnU* Message-Id: <20020403104348Z310435-617+3433@vger.kernel.org> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2002-04-02 at 23:16, Calin A. Culianu wrote: > > Ok, so some hackers broke into one of our boxes and set up an ftp site. > They monopolized over 70gb of hard drive space with warez and porn. We > aren't really that upset about it, since we thought it was kind of funny. > (Of course we don't like the idea that they are using out bandwidth and > disk space, but we can easily remedy that). > > Anyway, the weird thing is they created 2 directories, both of which were > strangely hidden. You can cd into them but you can't ls them. I > > /usr/lib/ypx and /usr/man/ypx were the two directories that contained both > the ftp software and the ftp root. When you are in /usr/man and you do an > ls, you don't see the ypx directory (same when you are in /usr/lib). The > ls binary we got is right off the redhat cd so it shouldn't still be > compromised by whatever rootkit was installed. > > My question is this: can the data structures in ext2fs be somehow hacked > so a directory can't appear in a listing but can be otherwise located for > a stat or a chdir? I should think no.. maybe we still haven't gotten rid > of the rootkit... If you are using the binary "ls" of the redhat CD they are probably using a kernel module to hide this directory. Have you tried running -> http://www.chkrootkit.org on the box? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/