Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Hack, creating a directory with whitespace name only
  • From: Hella.Breitkopf@xxxxxxxxxx
  • Date: Tue, 11 Dec 2001 21:33:36 +0100
  • Message-id: <OF092DB817.01EF5568-ONC1256B1F.006F5DF2@xxxxxxxxxx>

Andy Doran wrote:
>I am investigating a Linux box which has been compromised (possibly via
the
>crc32 OpenSSH hack). Searching around for recently added files threw up
the
>directory:
>
>/usr/X11R6/bin/ /ksh - note the space before the /ksh.
>
>ls would not show up this directory (not sure why?), but it contains
>lots of interesting stuff:
>
>./ /ksh
>./ /ksh/exploits
<-- snipped more of these-->
>Can anyone tell me how this directory structure was created?

One easy way to do it:

~/tmp1 > ls

1234 blah

~/tmp1 > mkdir ' '

~/tmp1 > ls
1234 blah

# the new directory *is* shown, but the space is not very eye-catching

# that's why its mostly better to do:

~/tmp1 > ls -la
total 1897
drwxr-xr-x 2 hacker root 1024 Dec 11 21:03
drwxr-xr-x 4 me users 1024 Dec 11 21:01 .
drwx------ 34 me users 3072 Dec 11 19:07 ..
drwxr-xr-x 2 me users 1024 Aug 17 15:39 1234
-rw-r--r-- 1 me users 11150 Jul 24 16:35 blah


If it isn't shown with ls -la, the directory is hidden
in a more sophisticated way .. (that's when it gets interesting)


Hella


< Previous Next >
Follow Ups