Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: jfarschman on December 17, 2007, 10:39:57 PM
-
I could use some experienced help.
I found a directory called .?
Yep... "?" is a wildcard and if you try to cd .? it will take you up one level just like cd ..
So how do I mess with, delete, look inside this bad boy?
Thanks.
-
Yep... "?" is a wildcard and if you try to cd .? it will take you up one level just like cd ..
So how do I mess with, delete, look inside this bad boy?
Try .\?
Don't delete it until you've had a look. I'd also suggest that you "telinit 1" to shut down everything, and do "rpm -Va" to look for any corrupted packages, just in case.
-
Thanks Charlie,
Try .\?
# cd .\?
-bash: cd: .?: No such file or directory
I'm working through the rpm -Va I did this once before with a Cobalt Qube3.
BTW: This isn't on a SME.
-
To close the loop on this one... it's a hack and a pretty nasty one.
Friend of mine left his server vulnerable and now it's owned by hackers. The inside of the mysterious directory is filled with fun files like this one :shock:
profile_images/. /toxic/auto/POSIX/chmod.al
#line 1 "auto/POSIX/chmod.al"
# NOTE: Derived from lib/POSIX.pm.
# Changes made here will be lost when autosplit is run again.
# See AutoSplit.pm.
package POSIX;
#line 561 "lib/POSIX.pm (autosplit into lib/auto/POSIX/chmod.al)"
sub chmod {
usage "chmod(mode, filename)" if @_ != 2;
CORE::chmod($_[0], $_[1]);
}
# end of POSIX::chmod
1;
Theres a nearly 4 MB of this toolkit.
-
This always has worked for me :
cd '.?'
or if need be, could be re-name : mv '.?' whatever
-
Thanks Warren.
I just tarballed the whole directory and when I expanded it... it appeared that the directory name had changed to .<space> which is even more annoying. If you'd like I can send you a copy and you can play around with it.
cd .?
used the wildcard like it was cd .. so it left me a little worried about deleting the file using the conventional rm .? as it might have thought I meant ..
Anyway, I don't think this server was compromised beyond the improperly configured php upload directories, but we are rebuilding it to be sure.
-
you could've rm it by : rm '.?' or by mv '.?' questionable, then rm questionable.
anyways, you are re-building the server, but maybe a good idea would be to keep the old disks
and try to figure out how it was compromised in the first place.
-
Warren,
I'm working on the forensics (how they got in) today. Initially, it looks like an upload directory that also had execute permissions. That should be enough. I just want to find it in the logs.