> Ok, so some hackers broke into one of our boxes and set up an ftp site.
> They monopolized over 70gb of hard drive space with warez and porn. We
> aren't really that upset about it, since we thought it was kind of funny.
> (Of course we don't like the idea that they are using out bandwidth and
> disk space, but we can easily remedy that).
> Anyway, the weird thing is they created 2 directories, both of which were
> strangely hidden. You can cd into them but you can't ls them. I
> /usr/lib/ypx and /usr/man/ypx were the two directories that contained both
> the ftp software and the ftp root. When you are in /usr/man and you do an
> ls, you don't see the ypx directory (same when you are in /usr/lib). The
> ls binary we got is right off the redhat cd so it shouldn't still be
> compromised by whatever rootkit was installed.
> My question is this: can the data structures in ext2fs be somehow hacked
> so a directory can't appear in a listing but can be otherwise located for
> a stat or a chdir? I should think no.. maybe we still haven't gotten rid
> of the rootkit...
This isn't really my area of expertice, but have you also recovered the original crond ? Perhaps that was compromized as well, and a replacement of the binaries are crontabbed? Search your system for copies of ls, netstat, ps, whatever. This is just a thought that hit me when I read this.
I wish you all of luck in recovering your system(s)
-- Best regards, Erik - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to email@example.com More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/