Attackers can easily “hide” files on a system. One method is to modify the kernel (through a kernel module for example) if the attacker has gained root. This is not discussed here.
A more common method of “hiding” files is to simply put the files in obscure locations that users will probably overlook. One problem with UNIX is that /tmp, /var/tmp and /var/lock are world writable.
Look at the following directory listing in /tmp:
david@anarchy:/tmp$ ls -al drwxrwxrwt 10 root root 12288 Apr 21 02:34 . drwxr-xr-x 21 root root 4096 Apr 3 13:19 .. drwxr-xr-x 2 david david 4096 [continued...]