On Fri, Aug 09, 2002 at 02:44:08PM +0200, rutger wrote:
hello list, how can i view 'hidden' directories. i suppose someone found a way to build directories in our common ftp-directory. but root can not easily view them. any hints?
Hidden in what way? The normal way to hide files from ls is using names starting with a dot. Rootkits often use weird names to hide a directory, often involving blank or even backspace characters. One way to see these is to use "ls -ba". However there are also root kits around that come with kernel modules that hide stuff at the kernel level, so that ls etc will never ever be able to display them because they don'T see them. In this case the only way to go is to reboot the machine from a clean medium (install CD or floppy), and the LILO prompt add "root=/dev/hdaXXX single" to the boot command line to force it go to single user mode. In single user mode you can then investigate the directories you suspect have been modified. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann