It could be that glibc is hacked also, unless you have a
statically-linked ls command. Try booting directly from the CD.
Yes, it is possible to hack ext2 to not show directories named "ypx" (or
whatever you want). Non-trivial, but doable. I had read somewhere that
"modern" linux rootkits load kernel modules, so that they intercept
kernel syscalls, like "sys_getdents()" or "sys_getdents64()" to not show
that you have been hacked.
Really, once you are compromized like this, you are better off to back
up your data and reinstall your OS (taking care that no suid binaries
exist in user home directories and such, there shouldn't normally be
You should also take care that you download the latest RPM updates, and
have them available to machine before it is connected to the net again.
I have heard of machines being compromized within minutes of being
installed, before they update to secure RPMs, just because the number
of crack attempts is so high.
-- Andreas Dilger \ "If a man ate a pound of pasta and a pound of antipasto, \ would they cancel out, leaving him still hungry?" http://www-mddsp.enel.ucalgary.ca/People/adilger/ -- Dogbert
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to firstname.lastname@example.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/