Topic: Strange Linux Wildcard Problem (.?)

[jfarschman]

I could use some experienced help.

I found a directory called .?

Yep... "?" is a wildcard and if you try to cd .?  it will take you up one level just like cd ..

So how do I mess with, delete, look inside this bad boy?

Thanks.

[CharlieBrady]

Yep... "?" is a wildcard and if you try to cd .?  it will take you up one level just like cd ..

So how do I mess with, delete, look inside this bad boy?

Try .\?

Don't delete it until you've had a look. I'd also suggest that you "telinit 1" to shut down everything, and do "rpm -Va" to look for any corrupted packages, just in case.

[jfarschman]

Thanks Charlie,

Try .\?

# cd .\?
  -bash: cd: .?: No such file or directory

I'm working through the rpm -Va I did this once before with a Cobalt Qube3.

BTW: This isn't on a SME.

[jfarschman]

To close the loop on this one... it's a hack and a pretty nasty one.

Friend of mine left his server vulnerable and now it's owned by hackers.  The inside of the mysterious directory is filled with fun files like this one 

profile_images/. /toxic/auto/POSIX/chmod.al

Code: [Select]

#line 1 "auto/POSIX/chmod.al"
# NOTE: Derived from lib/POSIX.pm.
# Changes made here will be lost when autosplit is run again.
# See AutoSplit.pm.
package POSIX;

#line 561 "lib/POSIX.pm (autosplit into lib/auto/POSIX/chmod.al)"
sub chmod {
    usage "chmod(mode, filename)" if @_ != 2;
    CORE::chmod($_[0], $_[1]);
}

# end of POSIX::chmod
1;
Theres a nearly 4 MB of this toolkit.

[warren]

This always has worked for me :

cd '.?'

or if need be, could be re-name : mv '.?'  whatever

[jfarschman]

Thanks Warren.

I just tarballed the whole directory and when I expanded it... it appeared that the directory name had changed to .<space> which is even more annoying.  If you'd like I can send you a copy and you can play around with it.

cd .?

used the wildcard like it was cd ..  so it left me a little worried about deleting the file using the conventional rm .? as it might have thought I meant ..

Anyway, I don't think this server was compromised beyond the improperly configured php upload directories, but we are rebuilding it to be sure.

[warren]

you could've  rm it by : rm '.?'  or by mv '.?'  questionable, then rm questionable.

anyways, you are re-building the server, but maybe a good idea would be to keep the old disks
and try to figure out how it was compromised in the first place.

[jfarschman]

Warren,

  I'm working on the forensics (how they got in) today.  Initially, it looks like an upload directory that also had execute permissions.  That should be enough.  I just want to find it in the logs.