Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] hidden directories
  • From: Olaf Kirch <okir@xxxxxxx>
  • Date: Fri, 9 Aug 2002 14:39:30 +0200
  • Message-id: <20020809143930.Q18170@xxxxxxx>
On Fri, Aug 09, 2002 at 02:44:08PM +0200, rutger wrote:
> hello list,
> how can i view 'hidden' directories.
> i suppose someone found a way to build
> directories in our common ftp-directory.
> but root can not easily view them.
> any hints?

Hidden in what way? The normal way to hide files from ls
is using names starting with a dot.

Rootkits often use weird names to hide a directory, often involving
blank or even backspace characters.

One way to see these is to use "ls -ba".

However there are also root kits around that come with kernel modules
that hide stuff at the kernel level, so that ls etc will never ever be
able to display them because they don'T see them. In this case the only
way to go is to reboot the machine from a clean medium (install CD or
floppy), and the LILO prompt add "root=/dev/hdaXXX single" to the boot
command line to force it go to single user mode. In single user mode
you can then investigate the directories you suspect have been
modified.

Olaf
--
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@xxxxxxx | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann

< Previous Next >
References