I am investigating a Linux box which has been compromised (possibly via
crc32 OpenSSH hack). Searching around for recently added files threw up
Andy Doran wrote: the the
directory:
/usr/X11R6/bin/ /ksh - note the space before the /ksh.
ls would not show up this directory (not sure why?), but it contains lots of interesting stuff:
./ /ksh ./ /ksh/exploits <-- snipped more of these--> Can anyone tell me how this directory structure was created?
One easy way to do it: ~/tmp1 > ls 1234 blah ~/tmp1 > mkdir ' ' ~/tmp1 > ls 1234 blah # the new directory *is* shown, but the space is not very eye-catching # that's why its mostly better to do: ~/tmp1 > ls -la total 1897 drwxr-xr-x 2 hacker root 1024 Dec 11 21:03 drwxr-xr-x 4 me users 1024 Dec 11 21:01 . drwx------ 34 me users 3072 Dec 11 19:07 .. drwxr-xr-x 2 me users 1024 Aug 17 15:39 1234 -rw-r--r-- 1 me users 11150 Jul 24 16:35 blah If it isn't shown with ls -la, the directory is hidden in a more sophisticated way .. (that's when it gets interesting) Hella