It is currently Mon, 18 Nov 2019 21:53:35 GMT



 
Author Message
 Browsing Hidden Directories, how??
Hi,

When running find / -nouser -o -nogroup , I get some directories
listed as:

/usr/local/etc/.. /a
/usr/local/etc/.. /a/awu
/usr/local/etc/.. /a/wu
/usr/local/etc/.. /a/auto

if I cd into /usr/local/etc, I end up in /etc, doing an ls -al on
/usr/local/ does not show /usr/local/etc to be linked to /etc.

In a nutshell, I want to see what our friend has store in those
directories, how can I cd into them or browse contents and files using
ls or vi.

I tried many variations od cd and ls using single and double quotes
but it did not work, please help...

Wilmer



 Mon, 06 Dec 2004 23:28:29 GMT   
 Browsing Hidden Directories, how??
news:be795ba7.0206200728.840d6f0@posting.google.com...

cd /usr/local/etc/..\ /a

- Show quoted text -



 Mon, 06 Dec 2004 23:53:40 GMT   
 Browsing Hidden Directories, how??

Might be better off running the above through a `cat -v' first to expose
any dodgy control-characters hiding therein.

Also, TAB-completion can be your friend. :)

~Tim
--
Move a mountain / Fill the ground           |pig...@stirfried.vegetable.org.uk
Take death on wheels / Re-create the land   |http://spodzone.org.uk/



 Tue, 07 Dec 2004 00:13:35 GMT   
 Browsing Hidden Directories, how??
< Tim Haynes

It looks to me like your friend installed wu-ftpd auto rooter(?).

ls -al | cat -v
ls -al | sed -n l       # My favorite one
ls -al | xxd            # My 2nd favorite
ls -al | od -x
ls -al | od -c

--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



 Tue, 07 Dec 2004 01:58:41 GMT   
 Browsing Hidden Directories, how??

Suspicious, somebody is trying to hide somthing. You have
probably been cracked.

If /usr/local/etc had been a link to /etc, find should not
have followed the link. And it should have been able to
find '.. ' in /etc as well. Probably it is not a link but
really a directory. But how come cd will then take you to
/etc? I can only imagine that would happen if the shell
had been trojaned.

The only reliable way is the following:
1) Unplug the network
2) Turn off the system
3) Boot the system from a rescue disk
4) fsck your filesystems
5) Mount your filesystems and see what is really there.

You don't know which of your executables has been trojaned,
so none of them can be trusted.

If you have a sash, that has not been trojaned it will be
a good tool.

--
Kasper Dupont -- der bruger for meget tid p? usenet.
For sending spam use mailto:razor-rep...@daimi.au.dk



 Tue, 07 Dec 2004 02:49:20 GMT   
 Browsing Hidden Directories, how??
On Thu, 20 Jun 2002 15:28:29 UTC, wnpe...@yahoo.com

+ Hi,
+
+ When running find / -nouser -o -nogroup , I get some directories
+ listed as:
+
+ /usr/local/etc/.. /a
+ /usr/local/etc/.. /a/awu
+ /usr/local/etc/.. /a/wu
+ /usr/local/etc/.. /a/auto
+
+ if I cd into /usr/local/etc, I end up in /etc, doing an ls -al on
+ /usr/local/ does not show /usr/local/etc to be linked to /etc.
+ [...]

Your Linux, UNIX, etc. box has been cracked. What now?

 1. Disconnect the infected system NOW! Don't wait.

 2. Get *all* patches for your OS version a.s.a.p. (Now! Today!)

 3. Save the patches to another system / drive / CDR / etc.

 4. BACKUP ANY DATA YOU NEED TO KEEP.

    4a. (Suggested by Pep <PepMozi...@netscape.net> 12-21-2001)
        Do not include any binary programs in your backup as these
        may have been compromised.  You should re-install binary
        programs and libraries from their original medium.

 5. Wipe the OS partition / drive clean.
    (You are unlikely to be able to clean up a compromised system by
    hand. So, grit your teeth and reformat that sucker.)

    5a. (Suggested by Andreas Braeutigam <ab...@freenet.de> 02-26-02)
        (This is *not* an exact quote but is a paraphrase)
        Reformat may give the wrong impression that a time consuming
        format of the entire drive is needed. Rather than reformat
        the entire drive wipe out the MBR, partition boot sectors
        root partition and any other partition containing executable
        files that may be compromised.

 6. Reinstall the OS + apps and restore data to the clean partition /
    drive.

    6a. (Suggested by Bill Unruh <un...@physics.ubc.ca> 12-21-2001)
        Then, scan all of the files which you saved for suid
        programs:

            find / -perm +6000 -ls

    6b. (Suggested by Bill Unruh <un...@physics.ubc.ca> 12-21-2001)
        Make sure that each of those files which are reported
        should actually be suid or sgid.
        If they are system files, check them with:

            rpm -Vf /name/of/file

        If they are in your or others home directories, they almost
        certainly should not be suid, especially not suid root.
        For example a file in /tmp, or in /usr/share/man should
        never be suid root.

    6c. (Suggested by Pep <PepMozi...@netscape.net> 12-21-2001)
        When you restore your backup, check all system configuration
        files that are restored for any cracks that may have already
        been incorporated into these files.

    6d. (Suggested by Bill Staehle <withheld on req.> 01-07-2002)

            find / \( -nouser -o -nogroup \) -exec ls -lad {} \;

        and if anything turns up, determine _why_ the user and/or
        group is not in /etc/passwd and/or /etc/group.  Who _really_
        owns those files/directories? What are they?

 7. WHILE OFFLINE install all the patches.

 8. Create your own, unique hidden directory and 'cp' files to it
    that are essential to system maintenance like 'ls', 'netstat',
    'route', 'ifconfig', 'ps', etc.
    (Should you be cracked again, God forbid, as long as you don't
    have a compromised kernel this will allow you to use these copies
    to "see" what a cracker may have done.)

    8a. (Suggested by Andreas Braeutigam <ab...@freenet.de> 02-26-02)
        I'd rather store those copies on a separate system or a
        non-writeable medium. [like a CD-R, floppy diskette with
        write protect on, etc.]

    8b. (Suggested by Pep <PepMozi...@netscape.net> 12-21-2001)
        Check your final installation to see that all known security
        bugs have been addressed.  There are various utilities that
        you can get to help with this, such as port scanners; etc.

    8c. (Suggested by Pep <PepMozi...@netscape.net> 12-21-2001)
        Install some of the security monitors that exist out there.
        I can't give you the names of all of these but there are
        monitors like portsentry that constantly scan for connections
        to your system, also there are other utilities that
        constantly check your system logs and ones that constantly
        check the system configuration files for any modifications of
        content and/or permissions.

    8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
        [It] would be better if the program files you put into that
        hidden directory are statically compiled, and not using the
        possibly corrupted dynamic libraries.  It also assumes that
        the kernel doesn't get messed with. _At this time_ these
        concerns are not big,  but why not stay ahead?

    8e. (Suggested by James Knott <james.kn...@rogers.com> 01-02-02)
        Mount as much of your filesystem as possible as read only. If
        the crackers can't write to a partition, they can't change
        it. Rename and hide su etc. [as suggested in 8].

 9. Then, and only then, set the box up to get online.

10. (Suggested by Pep <PepMozi...@netscape.net> 12-21-2001)
    Finally, design and implement a regular backup procedure,
    something you should already have done, so that you can limit
    any future problems you might have with your system, whether from
    cracking; bad configuration; system failure or simply bad users.

   10a. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
        [For further security] you could have another system sitting
        off a separate network, that randomly grabs a file off of
        this box, and does a file comparison externally. If that
        other system is not accepting ANY connections from ANYWHERE,
        it makes a better intrusion detection system.

What if you have only one machine with one OS installed? You still
need to disconnect, backup and reinstall. To get the patches ask a
friend or acquaintance with a secured system to help download the
patches. Or see if your OS vendor offers the current patches on CD.
If so, order it.

For further reference see the comp.os.linux.security FAQ:
http://www.linuxsecurity.com/docs/colsfaq.html

Finally, if all this is too much for you to handle alone consider
hiring an expert to assist you or to do it for you. However, be aware
hiring a consultant that is able to help will probably *not* be
inexpensive. For Linux and UNIX consultants in your area check These:

 http://www.pcunix.com/consultants.html
 http://wdb1.caldera.com/sdir_web/owa/ptrLocator.search
 http://www.redhat.com/products/purchase_options/find_reseller.html

("-" Suggested by Bill Staehle <withheld on req.> 01-07-2002)
  -ftp://ftp.cc.gatech.edu/pub/linux
  -ftp://ftp.freesoftware.com/pub/linux/sunsite
  -ftp://ftp.flash.net/pub/mirrors/metalab.unc.edu/pub/Linux
  -ftp://ftp.yggdrasil.com/mirrors/sunsite
  -ftp://ibiblio.org/pub/Linux
  -
  -Those are anonymous FTP servers. Log in as anonymous, with your
  -email address as password, and change to the indicated directory.
  -Look for the file "MIRRORS" to find a list of other servers that
  -may be more accessabhle to you. Then continue down from this
  -directory to  ./docs/linux-doc-project/linux-consultants-guide/
  -and get one of the versions of the Consultants-Guide:
  -
  -Consultants-Guide.html.tar.gz
  -Consultants-Guide.pdf
  -Consultants-Guide.ps.gz
  -Consultants-Guide.sgml.gz
  -Consultants-Guide.txt

Certified or Authorized resellers and/or consultants will be the
ones most likely to be able to assist you. Those well versed in
Linux and/or UNIX are usually capable of handling the "lesser OS's"
as well.

Finally, NEVER use the word "hacking" to describe "cracking" as there
is a significant difference between a "cracker" and a "hacker". See:

  http://www.tuxedo.org/~esr/jargon/html/entry/cracker.html
  http://www.tuxedo.org/~esr/jargon/html/entry/hacker.html

Most of all Good Luck!

Gene <g...@eracc.hypermart.net>
Caldera Authorized Partner - OpenServer 5+, UnixWare 7+ & OpenLinux
--
.   Owner and C.E.O. - ERA Computer Consulting - Jackson, TN USA    .
. eCS,OS/2,UnixWare,OpenServer & Linux Business Computing Solutions .
.     Please visit our www pages at http://eracc.hypermart.net/     .
               We run IBM OS/2 v.4.00, Revision 9.036                
 Sysinfo: 42 Processes, 165 Threads, uptime is 3d 20h 52m 41s 339ms  



 Thu, 09 Dec 2004 04:18:59 GMT   
 Browsing Hidden Directories, how??

I'd like to add sash to that list.

--
Kasper Dupont -- der bruger for meget tid p? usenet.
For sending spam use mailto:razor-rep...@daimi.au.dk



 Thu, 09 Dec 2004 06:36:15 GMT   
 
   [ 7 post ] 

Similar Threads

1. Hide Server from Browse Lists?

2. automountd does not browse directory

3. disabling directory browsing in apache

4. Directory browsing in Apache

5. HELP: Cannot BROWSE automounted /home directories!

6. Disabling directory browsing/listings in Apache

7. Directory browsing

8. turning off directory browsing.


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software