Re: hidden files

From: simon (simon_at_nowhere.com)
Date: 01/28/05


Date: Fri, 28 Jan 2005 14:19:20 +1300

Tim Haynes wrote:
> "mat" <mat_bike@yahoo.com> writes:
>
>
>>Perhaps, a rootkit was used. Thanks for the insight and the site. I will
>>go and check it out.
>
>
> While I'm passing by, if you're on an RPM-based distribution, `rpm -Vva'
> will verify all packages installed. Be particularly on your guard for
> things such as ls and ps and find (and anything in a bin/ directory)
> appearing as modified in the output list.
>
> If your /bin/ls has been modified, that would certainly explain why you
> can't see certain files. The alternative approach often used by a rootkit
> is to install a kernel module (LKM for short) that blocks-off access or
> redirects it to other files (so the /bin/ls you see is not the /bin/ls you
> exec()).
>
> ~Tim

Well, one easy way to bypass all rootkits is to boot off a linux-on-cd
system, eg knoppix/ubuntu for fully-featured system or many other
choices for slimmed-down environments.

You will then definitely have access to all files on the target system.