[TriLUG] invisible directories...

Jeffery Painter painter at kiasoft.com
Mon Apr 21 15:25:13 EDT 2003 

I'm getting some odd behavior on a linux machine.

I don't think it has been cracked but maybe someone can give me a clue as 
to what is going on if it has been attacked.

installation is RedHat 8.0 psyche with all known errata patches applied 
(as far as I know)

the problem is with a samba share that was in /export/home/backups

samba-common-2.2.7-5.8.0
samba-2.2.7-5.8.0
samba-client-2.2.7-5.8.0

These are the latest packages according to RH errata page

well, anyway.. the directory is still in tact, but invisible to any 
attempt at doing a directory listing

[painter at ipdev home]$ pwd
/export/home
[painter at ipdev home]$ ls -al
total 21
drwxrwxrwt    4 painter  painter      4096 Apr 21 15:16 .
drwxr-xr-x    3 root     root         1024 Apr 21 15:17 ..
drwx------    2 painter  painter     16384 Jan 28 19:25 lost+found
[painter at ipdev home]$ mv backups tmp1
[painter at ipdev home]$ ls -la
total 25
drwxrwxrwt    4 painter  painter      4096 Apr 21 15:23 .
drwxr-xr-x    3 root     root         1024 Apr 21 15:17 ..
drwx------    2 painter  painter     16384 Jan 28 19:25 lost+found
drwxr-xr-x    7 painter  painter      4096 Apr 21 15:23 tmp1
[painter at ipdev home]$

Now anywhere I create a directory called backup or backups, it becomes 
invisible when doing a directory listing...

[painter at ipdev home]$ mkdir back
[painter at ipdev home]$ mkdir backu
[painter at ipdev home]$ mkdir backup
[painter at ipdev home]$ mkdir backups
[painter at ipdev home]$ ls -l
total 28
drwxrwxr-x    2 painter  painter      4096 Apr 21 15:24 back
drwxrwxr-x    2 painter  painter      4096 Apr 21 15:24 backu
drwx------    2 painter  painter     16384 Jan 28 19:25 lost+found
drwxr-xr-x    7 painter  painter      4096 Apr 21 15:23 tmp1


very odd indeed... I am running portsentry and have not shown any attacks 
so I'm guessing there is a problem with my filesystem or someone is really 
good at confusing me :)

and I am the only person with a login to this host.

I shutdown samba before running all of these tests.. no help there.
I am not sharing via nfs either.

any ideas??

Jeff Painter
painter at kiasoft.com

More information about the TriLUG mailing list