Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
[suse-security] Hack, creating a directory with whitespace name only
  • From: "Andy Doran - Fasthosts Internet Ltd." <andy.doran@xxxxxxxxxxxxxxx>
  • Date: Tue, 11 Dec 2001 19:59:20 -0000
  • Message-id: <NEBBIDMIHKFMOHJAKPNGOEKKDBAA.andy.doran@xxxxxxxxxxxxxxx>
Dear All,

I am investigating a Linux box which has been compromised (possibly via the
crc32 OpenSSH hack). Searching around for recently added files threw up the
directory:

/usr/X11R6/bin/ /ksh - note the space before the /ksh.

ls would not show up this directory (not sure why?), but it contains
lots of interesting stuff:

./ /ksh
./ /ksh/exploits
./ /ksh/exploits/solx86_bind
./ /ksh/exploits/tsl_bind
./ /ksh/exploits/linx86_bind
./ /ksh/exploits/rdc-lprng
./ /ksh/exploits/rpc.statdx
./ /ksh/exploits/rpc.cmsd
./ /ksh/exploits/teso-nxt
./ /ksh/exploits/wuftpd-2.6-teso
./ /ksh/exploits/seclpd
./ /ksh/exploits/ptrace24
./ /ksh/exploits/e2p
./ /ksh/exploits/samba.sh
./ /ksh/exploits/x2
./ /ksh/exploits/x2_crk
./ /ksh/dsniff/webspy
./ /ksh/dsniff/tcpnice
./ /ksh/dsniff/urlsnarf
./ /ksh/dsniff/libssl.a
./ /ksh/dsniff/libcrypto.a


Can anyone tell me how this directory structure was created? Is it related
to a known hack?

Thanks in advance.
Andy.


< Previous Next >