Re: [suse-security] Hack, creating a directory with whitespace name only
I am investigating a Linux box which has been compromised (possibly via
crc32 OpenSSH hack). Searching around for recently added files threw up
Andy Doran wrote: the the
directory:
/usr/X11R6/bin/ /ksh - note the space before the /ksh.
ls would not show up this directory (not sure why?), but it contains lots of interesting stuff:
./ /ksh ./ /ksh/exploits <-- snipped more of these--> Can anyone tell me how this directory structure was created?
One easy way to do it: ~/tmp1 > ls 1234 blah ~/tmp1 > mkdir ' ' ~/tmp1 > ls 1234 blah # the new directory *is* shown, but the space is not very eye-catching # that's why its mostly better to do: ~/tmp1 > ls -la total 1897 drwxr-xr-x 2 hacker root 1024 Dec 11 21:03 drwxr-xr-x 4 me users 1024 Dec 11 21:01 . drwx------ 34 me users 3072 Dec 11 19:07 .. drwxr-xr-x 2 me users 1024 Aug 17 15:39 1234 -rw-r--r-- 1 me users 11150 Jul 24 16:35 blah If it isn't shown with ls -la, the directory is hidden in a more sophisticated way .. (that's when it gets interesting) Hella
On Tuesday, 11. December 2001 21:33, Hella.Breitkopf@varetis.de wrote:
~/tmp1 > ls -la total 1897 drwxr-xr-x 2 hacker root 1024 Dec 11 21:03 drwxr-xr-x 4 me users 1024 Dec 11 21:01 . drwx------ 34 me users 3072 Dec 11 19:07 .. drwxr-xr-x 2 me users 1024 Aug 17 15:39 1234 -rw-r--r-- 1 me users 11150 Jul 24 16:35 blah
If it isn't shown with ls -la, the directory is hidden in a more sophisticated way .. (that's when it gets interesting)
If I do that in my ~ I'm sure I'll oversee that directory. ls --help shows '-Q' which puts the listed item in quotes which is nicer. (I hope I remember that for those smb-shares... ) But there are some tricks with control characters like "Carriage-Return" and "line-up" which could(?) overprint the line with the hidden dir with the following line. Peter
On Tue, 11 Dec 2001, Peter Wiersig wrote:
ls --help shows '-Q' which puts the listed item in quotes which is nicer. (I hope I remember that for those smb-shares... )
But there are some tricks with control characters like "Carriage-Return" and "line-up" which could(?) overprint the line with the hidden dir with the following line.
On the one hand, I sort of like that the system doesn't break with this kind of stuff in its directory structures: But on the other, is there any legitimate thing that would break if filenames were restricted to printing characters only? I don't like spaces in filenames because it causes misparses in command lines to be possible. The fact that spaces are normally avoided in filenames is one of the things I think is Right about unix that's not right with Windows and Macs. Ray
participants (3)
-
Hella.Breitkopf@varetis.de -
Peter Wiersig -
Ray Dillinger