[vox] password stolen at linuxworld
ME
vox@lists.lugod.org
Sun, 10 Aug 2003 08:55:42 -0700 (PDT)
Peter Jay Salzman said:
> ack. i didn't mean to be an alarmist. i didn't mean your DEFINITELY
> hacked. i meant you definitely want to be on the lookout. debian has a
> package that looks for common rootkits. also, pay attention to outside
> connections, log files, do a search for "..." and "pfloyd", and look in
> /dev. black hat hackers love to hide files in /dev.
Some like to hide files in "hidden files" (prefixed with ".") and you may
even find some who hide files by using escape sequences common to vt100
and xterm that move the cursor back to the beginning of a line after
printing their names to hide them from display. Another technique is to
trojan "ls" to have it hide the files in a dir.
For the first, you should be able to :
$ ls | less
and less will expose control characters and escape them for you to see.
For the second, if there is no alias for "echo" and the shell has not been
trojaned (and probably other things I am not recalling) you call use
"echo" to display files (nonhidden) in a dir:
$ echo .* *
(This just prints names, not details like date and lengths.)
The above is also useful if your box has been fork-bombed or there are too
many processes for an ls to be run. Why? echo is a shell built-in and does
not need to start another process.
HTH,
-ME