[lug] Weird directory in users home dir
Justin
glow at jackmoves.com
Tue Jun 19 13:07:30 MDT 2001
Well I figured it out thanks to your help. Really weird stuff though.
Anyways, I'll paste a little to show what it looked like:
[root at oldschool long]# ls
/ README.jackmoves@ ftp@ mail/ #just showing the wierd / dir
[root at oldschool long]# cd " "/ #I was able to type cd "(space)(space)
(tab) - and it tabbed out to what you see on that line
[root at oldschool ]# pwd
/home/long/
[root at oldschool ]# ls
c.tgz cnt/
[root at oldschool ]# ls -la #looks like they were just hiding an
irc bot
total 612
drwxr--r-- 3 556 users 4096 Jun 16 19:28 ./
drwx------ 4 556 users 4096 Jun 17 05:27 ../
-rw-r--r-- 1 556 users 607615 Jun 16 19:28 c.tgz
drwx------ 5 556 users 4096 Jun 18 15:14 cnt/
[root at oldschool ]# pwd
/home/long/ #when I highlighted this, the two spaces were visable
[root at oldschool ]# cd ..
[root at oldschool long]# pwd
/home/long #no spaces here though
[root at oldschool long]# ls
/ README.jackmoves@ ftp@ mail/
[root at oldschool long]# mv " "/ temp
[root at oldschool long]# ls
README.jackmoves@ ftp@ mail/ temp/
[root at oldschool long]# cd temp/ #the dir is now easily visable
[root at oldschool temp]# ls
c.tgz cnt/
[root at oldschool temp]# ls -la
total 612
drwxr--r-- 3 556 users 4096 Jun 16 19:28 ./
drwx------ 4 556 users 4096 Jun 19 13:03 ../
-rw-r--r-- 1 556 users 607615 Jun 16 19:28 c.tgz
drwx------ 5 556 users 4096 Jun 18 15:14 cnt/
[root at oldschool temp]# pwd
/home/long/temp
Well, that was about it. Looks like a nifty little way to disguise a
directory that I didn't know about.
Justin
> You can issue the command "find ." from the user's directory to see
what is
> in this sub directory, and others. If you need to remove it or cwd
to it,
> try using a quote with leading spaces, then press tab, which should
complete
> the path, otherwise something like this:
>
> cd " /"<enter>
>
> rm -rf " /"<enter>
>
> Looks like there are two spaces or so leading up to it.
> -brad
>
>
> [Charset iso-8859-1 unsupported, filtering to ASCII...]
> > I ran across this oddity while searching for a suspected cracker on
my
> > shell server. The users home directory has a directory / in it
which if
> > cd'd to will go to the root directory. It is not a link or
anything,
> > but it looks like it might have a space or two in front of it. I'm
> > afraid to delete this directory or the users account directory in
case
> > it has been booby trapped somehow. Any ideas?
> > ------------------------
> > [root at oldschool long]# pwd
> > /home/long
> >
> > [root at oldschool long]# ls
> > / README.jackmoves@ ftp@ mail/ #you can see the / dir here
> >
> > [root at oldschool long]# ls -l
> > total 8
> > drwxr--r-- 3 556 users 4096 Jun 16 19:28 / #again
> > lrwxrwxrwx 1 556 users 28 May 15 14:36
> > README.jackmoves -> /home/httpd/README.jackmoves
> > lrwxrwxrwx 1 556 users 13 May 15 14:36 ftp -
> > > /home/ftp/pub/
> > drwx------ 2 556 users 4096 May 15 14:36 mail/
> >
> > [root at oldschool long]# ls -a
> > / ../ .bash_profile .screenrc ftp@
> > ./ .bash_logout .bashrc README.jackmoves@ mail/
> >
> > [root at oldschool long]# cd #i typed cd (tab) to list my dir
options
> > .bash_profile .screenrc ftp
> > .bash_logout .bashrc README.jackmoves mail
> > #wierd thing above is that the dir showed as just spaces???
> >
> > Could they have just touched this file named / and made it appear
like
> > something bad? Thanks for any ideas...
> >
> > Justin
> >
> >
> > -----
> > glow at jackmoves.com
> > www.jackmoves.com
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>
-----
glow at jackmoves.com
www.jackmoves.com
More information about the LUG
mailing list