[TriLUG] invisible directories...
Paul D. Boyle
boyle at laue.chem.ncsu.edu
Mon Apr 21 16:02:50 EDT 2003
Jeff Painter wrote:
> I'm getting some odd behavior on a linux machine.
>
> I don't think it has been cracked but maybe someone can give me a clue as
> to what is going on if it has been attacked.
The behavior you are describing is very common when a cracker installs
a trojaned version of '/bin/ls'. The progam has been modified to not
find certain files or directories. You can detect these files/directories
with other tools which may have not been compromised (e.g. 'find'). You
can also see these directories in in /proc file system sometimes when
the cracker leaves an executable running which uses the hidden directory
as it's cwd (current working directory) (see /proc/<PID>/cwd).
The first thing to do is use rpm to verify the checksum of your 'ls'
executable (although I am waiting for the day when 'rpm' itself gets
trojaned). If the checksums don't match, then it is safe to assume your
system has been hacked. You can also copy the /bin/ls from the suspect
machine and transfer to a known safe box and compare the MD5 checksum
for the /bin/ls on the safe machine with the /suspect/ls executable's
checksum.
If this second verification doesn't indicate anything untoward then
who knows ... maybe a really sophisticated hack (like a rogue kernel
module which intercepts system calls which gives compromised output),
or a legitimate filesystem problem.
Good Luck,
Paul
--
Paul D. Boyle | boyle at laue.chem.ncsu.edu
Director, X-ray Structural Facility | phone: (919) 515-7362
Department of Chemistry - Box 8204 | FAX: (919) 515-5079
North Carolina State University | http://www.xray.ncsu.edu
Raleigh, NC, 27695-8204
More information about the TriLUG
mailing list