hello list, how can i view 'hidden' directories. i suppose someone found a way to build directories in our common ftp-directory. but root can not easily view them. any hints? thanx, rutger kontakt: | tel.: 06341/9821252 r.frechen | email: r.frechen@gmx.de multimediadesign & | programmierung | ·--/\--· alfred-nobel-platz 1 | / \ 76829 landau | \ / germany | ·--\/--· email: r.frechen@gmx.de ___________________________________________________________ "We go where WE want."
hello list, how can i view 'hidden' directories. i suppose someone found a way to build directories in our common ftp-directory. but root can not easily view them. any hints?
ls -la
What do you mean with hidden? Linux-like operating systems only understand
the semantics of files/directories beginning with a "." character.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On Fri, Aug 09, 2002 at 02:44:08PM +0200, rutger wrote:
hello list, how can i view 'hidden' directories. i suppose someone found a way to build directories in our common ftp-directory. but root can not easily view them. any hints?
Hidden in what way? The normal way to hide files from ls is using names starting with a dot. Rootkits often use weird names to hide a directory, often involving blank or even backspace characters. One way to see these is to use "ls -ba". However there are also root kits around that come with kernel modules that hide stuff at the kernel level, so that ls etc will never ever be able to display them because they don'T see them. In this case the only way to go is to reboot the machine from a clean medium (install CD or floppy), and the LILO prompt add "root=/dev/hdaXXX single" to the boot command line to force it go to single user mode. In single user mode you can then investigate the directories you suspect have been modified. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
hello roman, i mean 'hidden' in the sense, that root cannot view them with e.g. ls -la. i found an entry in xferlog pointing to a zipfile in /~___.test/xy.zip but i cannot find it. thanks, rutger
Von: Roman Drahtmueller
Datum: Fri, 9 Aug 2002 14:37:12 +0200 (MEST) An: rutger Cc: suse Betreff: Re: [suse-security] hidden directories hello list, how can i view 'hidden' directories. i suppose someone found a way to build directories in our common ftp-directory. but root can not easily view them. any hints?
ls -la
What do you mean with hidden? Linux-like operating systems only understand the semantics of files/directories beginning with a "." character.
Thanks, Roman. -- - - | Roman Drahtmüller
// "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
rutger wrote:
i mean 'hidden' in the sense, that root cannot view them with e.g. ls -la. i found an entry in xferlog pointing to a zipfile in /~___.test/xy.zip
^^ this should mean a users directory, no?
but i cannot find it.
Try "ls -laq", as perhaps someone put in control-chars in the dirname. Or try "ls -laR" in the toplevel directory Peter
On Friday 09 August 2002 14.55, Peter Wiersig wrote:
rutger wrote:
i mean 'hidden' in the sense, that root cannot view them with e.g. ls -la. i found an entry in xferlog pointing to a zipfile in /~___.test/xy.zip
^^ this should mean a users directory, no?
No. ~ is only translated if it's the first character. ~foo means /home/foo, /~foo means /~foo. Anders
participants (5)
-
Anders Johansson
-
Olaf Kirch
-
Peter Wiersig
-
Roman Drahtmueller
-
rutger