Re: [ILUG] strange output

From: Fergal Daly (fergal at domain esatclear.ie)
Date: Thu 18 Oct 2001 - 11:24:43 IST

• Next message: Glen Gray: "Re: [ILUG] Dual AMD."
• Previous message: Stephane Dudzinski: "Re: [ILUG] the bells are getting louder..."
• In reply to: Chris Boyd: "[ILUG] strange output"
• Next in thread: Rick Moen: "Re: [ILUG] strange output"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

It looks like a file that someone has been trying to hide, the fact that
it's in a non-user-writable directory means it was put there by something
running as root, so I'd imagine you've been compromised at some stage.

You should be able to pass the file into other programs on the commandline
with the help of tab completion. Try ls ..\ followed by a space and a tab,
hopefully the completion will figure out the other characters for you.

If you have been cracked, it's almost impossible to clean it up for sure
except by just reinstalling the whole OS,

Fergal

On Thu, Oct 18, 2001 at 02:31:55AM -0700, Chris Boyd wrote:
> I was looking for rootkits and came across something
> strange. Using RH 7.1
>
> find / -name ".*" -print -xdev:
>
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Image/Magick/.packlist
> /lib/..
> /root/.Xresources
>
> then did a ls -la /lib:
>
> total 8612
> drwxr-xr-x 7 root root 4096 Sep 16
> 00:04 .
> drwxr-xr-x 20 root root 4096 Oct 18
> 01:09 ..
> -rw-r--r-- 1 root root 27 Sep 16
> 00:04 .. ???
> lrwxrwxrwx 1 root root 14 Jul 10
> 05:01 cpp -> ../usr/bin/cpp
> drwxr-xr-x 2 root root 4096 Jul 10
> 04:56 i686
> drwxr-xr-x 2 root root 4096 Jul 10
> 04:59 iptables
> drwxr-xr-x 7 root root 4096 Jul 10
> 04:57 kbd
>
>
> then did cd /lib/ and then pressed TAB:
>
> [root at domain leviathan /]# cd /lib/
> .. ^H^H^H libmemusage.so
> libpam.so.0
> cpp libnsl-2.2.2.so
> libpam.so.0.74
> i686 libnsl.so.1
> libpam_misc.a
> iptables libnss1_compat-2.2.2.so
> libpam_misc.so
> kbd libnss1_compat.so.1
> libpam_misc.so.0
> ld-2.2.2.so libnss1_dns-2.2.2.so
> libpam_misc.so.0.74
>
> then ls -la /lib |grep ^H*
>
> [root at domain leviathan /]# ls -la /lib/ |grep ^H*
> total 8612
> drwxr-xr-x 7 root root 4096 Sep 16
> 00:04 .
> drwxr-xr-x 20 root root 4096 Oct 18
> 01:09 ..
> -rw-r--r-- 1 root root 27 Sep 16
> 00:04 ..
> lrwxrwxrwx 1 root root 14 Jul 10
> 05:01 cpp -> ../usr/bin/cpp
> drwxr-xr-x 2 root root 4096 Jul 10
> 04:56 i686
> drwxr-xr-x 2 root root 4096 Jul 10
> 04:59 iptables
> drwxr-xr-x 7 root root 4096 Jul 10
> 04:57 kbd
> -rwxr-xr-x 1 root root 471781 Apr 6
> 2001 ld-2.2.2.so
>
> Can't figure out that's all about. It looks like a
> dodgy directory but doesn't say that it's a dir or a
> file.
> Anyone know?
>
> Thanks
>
> C
>
> =====
> "They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759.
>
> Chris Boyd
>
> Home: 353 1 671 9858
> Cell: 353 87 955 9519
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
>
> --
> Irish Linux Users' Group: ilug at domain linux.ie
> http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
> List maintainer: listmaster at domain linux.ie

-- 

• Next message: Glen Gray: "Re: [ILUG] Dual AMD."
• Previous message: Stephane Dudzinski: "Re: [ILUG] the bells are getting louder..."
• In reply to: Chris Boyd: "[ILUG] strange output"
• Next in thread: Rick Moen: "Re: [ILUG] strange output"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:12:48 GMT