Question about 'Hidden' Directories in ext2

Calin A. Culianu (calin@ajvar.org)
Tue, 2 Apr 2002 17:16:42 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike Fedyk: "Re: Request for 2.4.20 to be a non-trivial-bugfixes-only version"
Previous message: Steve Best: "[ANNOUNCE] Journaled File System (JFS) release 1.0.17"

Ok, so some hackers broke into one of our boxes and set up an ftp site.
They monopolized over 70gb of hard drive space with warez and porn. We
aren't really that upset about it, since we thought it was kind of funny.
(Of course we don't like the idea that they are using out bandwidth and
disk space, but we can easily remedy that).

Anyway, the weird thing is they created 2 directories, both of which were
strangely hidden. You can cd into them but you can't ls them. I

/usr/lib/ypx and /usr/man/ypx were the two directories that contained both
the ftp software and the ftp root. When you are in /usr/man and you do an
ls, you don't see the ypx directory (same when you are in /usr/lib). The
ls binary we got is right off the redhat cd so it shouldn't still be
compromised by whatever rootkit was installed.

My question is this: can the data structures in ext2fs be somehow hacked
so a directory can't appear in a listing but can be otherwise located for
a stat or a chdir? I should think no.. maybe we still haven't gotten rid
of the rootkit...

-Calin

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Fedyk: "Re: Request for 2.4.20 to be a non-trivial-bugfixes-only version"
Previous message: Steve Best: "[ANNOUNCE] Journaled File System (JFS) release 1.0.17"