Re: Question about 'Hidden' Directories in ext2

Erik Ljungström (insight@metalab.unc.edu)
Wed, 3 Apr 2002 01:48:28 +0200


On Tue, 2 Apr 2002 17:16:42 -0500 (EST)
"Calin A. Culianu" <calin@ajvar.org> wrote:

>
> Ok, so some hackers broke into one of our boxes and set up an ftp site.
> They monopolized over 70gb of hard drive space with warez and porn. We
> aren't really that upset about it, since we thought it was kind of funny.
> (Of course we don't like the idea that they are using out bandwidth and
> disk space, but we can easily remedy that).
>
> Anyway, the weird thing is they created 2 directories, both of which were
> strangely hidden. You can cd into them but you can't ls them. I
>
> /usr/lib/ypx and /usr/man/ypx were the two directories that contained both
> the ftp software and the ftp root. When you are in /usr/man and you do an
> ls, you don't see the ypx directory (same when you are in /usr/lib). The
> ls binary we got is right off the redhat cd so it shouldn't still be
> compromised by whatever rootkit was installed.
>
> My question is this: can the data structures in ext2fs be somehow hacked
> so a directory can't appear in a listing but can be otherwise located for
> a stat or a chdir? I should think no.. maybe we still haven't gotten rid
> of the rootkit...
>
> -Calin
>
>
> -

This isn't really my area of expertice, but have you also recovered the original crond ? Perhaps that was compromized as well, and a replacement of the binaries are crontabbed? Search your system for copies of ls, netstat, ps, whatever. This is just a thought that hit me when I read this.

I wish you all of luck in recovering your system(s)

--
Best regards, Erik
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/