Hiding files on a system

Attackers can easily “hide” files on a system. One method is to modify the kernel (through a kernel module for example) if the attacker has gained root. This is not discussed here.

A more common method of “hiding” files is to simply put the files in obscure locations that users will probably overlook. One problem with UNIX is that /tmp, /var/tmp and /var/lock are world writable.

Look at the following directory listing in /tmp:

david@anarchy:/tmp$ ls -al
drwxrwxrwt 10 root  root  12288 Apr 21 02:34 .
drwxr-xr-x 21 root  root   4096 Apr  3 13:19 ..
drwxr-xr-x  2 david david  4096 Apr 21 02:34 ...
drwxrwxrwt  2 root  root   4096 Apr 20 12:13 .ICE-unix
-r--r--r--  1 root  root     11 Apr 20 12:13 .X0-lock
drwxrwxrwt  2 root  root   4096 Apr 20 12:13 .X11-unix
-r--r--r--  1 root  root     11 Apr 20 12:13 .X64-lock

At first glance nothing seems wrong. This appears to be a normal directory listing. However, notice there is a directory called “…” (not owned by root). This isn’t normal.

Another method makes the above even more obscure:

david@anarchy:/tmp$ ls -al
drwxrwxrwt 10 root  root  12288 Apr 21 02:37 .
drwxr-xr-x 21 root  root   4096 Apr  3 13:19 ..
drwxr-xr-x  2 david david  4096 Apr 21 02:37 ..     
drwxrwxrwt  2 root  root   4096 Apr 20 12:13 .ICE-unix
-r--r--r--  1 root  root     11 Apr 20 12:13 .X0-lock
drwxrwxrwt  2 root  root   4096 Apr 20 12:13 .X11-unix
-r--r--r--  1 root  root     11 Apr 20 12:13 .X64-lock

Once again, at first glance this looks fine. Now notice the second directory named “..” (once again not owned by root). This appears to go back one directory level. Using a recursive ls shows how this was done:

david@anarchy:/tmp$ ls -alR .
.:
drwxrwxrwt 10 root  root  12288 Apr 21 02:37 .
drwxr-xr-x 21 root  root   4096 Apr  3 13:19 ..
drwxr-xr-x  2 david david  4096 Apr 21 02:37 ..     
drwxrwxrwt  2 root  root   4096 Apr 20 12:13 .ICE-unix
-r--r--r--  1 root  root     11 Apr 20 12:13 .X0-lock
drwxrwxrwt  2 root  root   4096 Apr 20 12:13 .X11-unix
-r--r--r--  1 root  root     11 Apr 20 12:13 .X64-lock

./..     :
total 16
drwxr-xr-x  2 david david  4096 Apr 21 02:37 .
drwxrwxrwt 10 root  root  12288 Apr 21 02:37 ..

As can be seen, the “..” (not owned by root) has several spaces appended after it so using a “ls -al” looks normal. This was created by using: mkdir "..     "

Again, this is where you should be using “ls -albF” such that you can *see* the various types and oddities in the namings used for files and directories.

So when you’re looking around your filesystem after you think someone may have broken in, watch out for these techniques that are used to “hide” files.

Page written by David Ramsden