Results 1 to 5 of 5
  1. #1

    Critical: Weird folder found! Can't remove...

    Hello,

    A customer of mine informed me about a weird directory in his homefolder:

    "*eKL`^ :|Rl=E!A"

    When I do "ls -al" I get this:

    Code:
    drwxr-xr-x    2 *** *** 4096 Oct 28 08:14 \004\315\334\*eK\036\320L`^\f:\022\|R\246l\=E!\233\340\367A\n\243W\253_\264Ul3lo\345\246{\250<\341~\304\355۽\356\257<:~\030\034\006\355\376\003\2261\227\232\361\253\035\206S/
    I can't access it:

    Code:
    [email protected] [/home/*******]# cd \004\315\334\*eK\036\320L`^\f:\022\|R\246l\=E!\233\340\367A\n\243W\253_\264Ul3lo\345\246{\250<\341~\304\355۽\356\257<:\030\034\006\355\376\003\2261\227\232\361\253\035\206S
    -bash: !\233\340\367A\n\243W\253_\264Ul3lo\345\246{\250: event not found
    This might sound paranoid but I'm afraid the directory name contains some kind of shell code that if I try to remove it, something else happens... I think the folder got there due to a web based attack on his website. Is that possible?

    Does anyone have an idea how to get rid of it? I would like to see the content of the folder if possible.

    Thanks.

  2. #2
    Join Date
    May 2001
    Location
    HK
    Posts
    3,076

    Smile

    Use the quote for the directory name...

    ls -al 'sdfsdfkjsljdflksdjlfkjs;isejf;iafjaf'


  3. #3
    Join Date
    Jun 2002
    Posts
    1,376
    Try playing with wildcards a bit.

    Does "ls \004*" show only that one folder? You could then delete it using the same wildcards. (But be very careful using rm with a * -- if you mess up the syntax, who knows what you'll delete? I'd recommend using the -i flag with rm, as it'll prompt you for each file you're deleting. But, of course, don't even run rm until you've tested the syntax with ls.)

  4. #4
    Join Date
    Aug 2001
    Location
    NE Ohio
    Posts
    502
    Try doing an rm -rf to the user's directory (obviously backup files first) and then create the home directory again.

  5. #5
    Join Date
    Jun 2003
    Posts
    961
    dir name looks wierd, you sure fs is clean? try fsck?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •