Re: Question about 'Hidden' Directories in ext2

Andreas Dilger (adilger@clusterfs.com)
Tue, 2 Apr 2002 15:42:54 -0700

On Apr 02, 2002 17:16 -0500, Calin A. Culianu wrote:
> Ok, so some hackers broke into one of our boxes and set up an ftp site.
> They monopolized over 70gb of hard drive space with warez and porn. We
> aren't really that upset about it, since we thought it was kind of funny.
> (Of course we don't like the idea that they are using out bandwidth and
> disk space, but we can easily remedy that).
>
> Anyway, the weird thing is they created 2 directories, both of which were
> strangely hidden. You can cd into them but you can't ls them. I
>
> /usr/lib/ypx and /usr/man/ypx were the two directories that contained both
> the ftp software and the ftp root. When you are in /usr/man and you do an
> ls, you don't see the ypx directory (same when you are in /usr/lib). The
> ls binary we got is right off the redhat cd so it shouldn't still be
> compromised by whatever rootkit was installed.
>
> My question is this: can the data structures in ext2fs be somehow hacked
> so a directory can't appear in a listing but can be otherwise located for
> a stat or a chdir? I should think no.. maybe we still haven't gotten rid
> of the rootkit...

It could be that glibc is hacked also, unless you have a
statically-linked ls command. Try booting directly from the CD.

Yes, it is possible to hack ext2 to not show directories named "ypx" (or
whatever you want). Non-trivial, but doable. I had read somewhere that
"modern" linux rootkits load kernel modules, so that they intercept
kernel syscalls, like "sys_getdents()" or "sys_getdents64()" to not show
that you have been hacked.

Really, once you are compromized like this, you are better off to back
up your data and reinstall your OS (taking care that no suid binaries
exist in user home directories and such, there shouldn't normally be
any).

You should also take care that you download the latest RPM updates, and
have them available to machine before it is connected to the net again.
I have heard of machines being compromized within minutes of being
installed, before they update to secure RPMs, just because the number
of crack attempts is so high.

Cheers, Andreas

--
Andreas Dilger  \ "If a man ate a pound of pasta and a pound of antipasto,
                 \  would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/               -- Dogbert


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/