SUMMARY: Cannot ls files

From: Mark King <mark.king_at_akqa.com>
Date: Wed Apr 18 2001 - 04:10:27 EDT
Dear all,

Many, many thanks to everyone that has replied to me on this - there are
just far too many for me to thank individually, or list here.

Basically the machines in question have been hacked into, and the ls command
replaced with one that hides files with a 01 in them.

References:
	http://www.cert.org/CA-2001-05.html
	SUMAMRY: root-compromised systems -- a warning (from this archive)

regards,
   Mark


Mark King wrote:

> Dear all,
>
> I'm encountering a very strange problem on two boxes, both running Solaris
> 2.7 (one's an Ultra 2 running DiskSuite, the other an Ultra 10, plain
ufs).
>
> There are files location in certain directories that I can copy move, and
> display, but ls -la just will not show them.
>
> eg. In the directory Z, here is the following output from various
commands:
>
> bash-2.03$ ls -la
> total 382964
> drwxr-xr-x   2 markk    technology     512 Apr 17 17:00 .
> drwxrwxr-x  17 weblogic technology    1536 Apr 17 12:09 ..
> -rw-r--r--   1 markk    technology 60064608 Apr 17 12:09
> file1.ext1.ext2.ext3
>
>         (* It only displays the one file *)
>
> bash-2.03$ ls (then pressing TAB twice)
> file1.ext1.ext2.ext3      zip12042001_DB.dmp.gz     zip16042001_EJB.tar.gz
> zip12042001.tar.gz        zip12042001_EJB.tar.gz    zip17042001.tar.gz
> zip12042001.tgz           zip16042001.tar.gz
zip17042001_Beans.tar.gz
> zip12042001_Beans.tar.gz  zip16042001_Beans.tar.gz  zip17042001_EJB.tar.gz
>
>         (* So it knows the zip files are there *)
>
> bash-2.03$ ls zip*
> bash-2.03$ ls -la zip*
> total 382964
>         (* both of these do not complain, as the files do exist, but it
does
> not display them *)
>
> bash-2.03$ ls not-here*
> not-here*: No such file or directory
>         (* expected return *)
>
> bash-2.03$ ls -la not-here*
> not-here*: No such file or directory
>         (* expected return *)
>
> Has anyone else encountered these problems before?
> I haven't been able to find anything on Sunsolve, sunhelp etc so far.
>
> many thanks for any adivce,
> cheers,
>   Mark
>
> Senior Systems Administrator
> ____________________________________________________________________
> http://www.akqa.com
> mailto:mark.king@akqa.com
> T: + 44 (0)20 7494 9200
> F: + 44 (0)20 7494 9300
> AKQA, Princes House, 38 Jermyn Street, St James's, London, SW1Y 6DN, UK.
>
> Confidentiality notice:
> The information transmitted in this email and/or any attached document(s)
is
> confidential and intended only for the person or entity to which it is
> addressed and may contain privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance upon
this
> information by persons or entities other than the intended recipient is
> prohibited. If you received this in error, please contact the sender and
> delete the material from any computer.
>
>   ------------------------------------------------------------------------
Received on Wed Apr 18 09:10:27 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:53 EDT