topic Re: weird dir .. in Operating System - HP-UX

weird dir ..

someone_4 — Tue, 04 Sep 2001 21:31:29 GMT

When I do
# ls -alb
total 0
drwxr-x--- 4 ftp guest 96 Aug 27 11:20 .
drwxr-x--- 3 ftp guest 96 Sep 4 17:29 ..
drwxr-x--- 3 ftp guest 96 Aug 27 11:08 \377\377\377
drwxr-x--- 3 ftp guest 96 Aug 27 11:20 \377\377\377\377\377\3
77
# cd \377\377\377
sh: 377377377: not found.

but ll
i dont see the \337
how do I get into theese dir?
Someone it looks like someone is storing mp3s in there. Does anyone have any idea on how that dir got there?

Richard

Re: weird dir ..

Sridhar Bhaskarla — Tue, 04 Sep 2001 21:37:23 GMT

Richard,

Try this way.

cd \\377\\377\\377.

Note this extra
-Sri

Re: weird dir ..

Bill Hassell — Tue, 04 Sep 2001 21:43:45 GMT

The directories were created by a version of ftp that allows virtually any character to be used in the name. Since 377 octal is an all 1's character, this is highly suspicious as if someone is trying to hide the contents. Most likely:

ls -labR

will show all the directories and their contents. You might want to assume you have an intruder until proven otherwise.

Re: weird dir ..

Sanjay_6 — Tue, 04 Sep 2001 21:46:04 GMT

Hi Richard,

We earlier had a similar discussion regarding a weird file. Have a look. Are we looking at a virus on HP-UX ???.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0x5b8f5220af9bd5118ff10090279cd0f9,00.html

Thanks

Re: weird dir ..

someone_4 — Tue, 04 Sep 2001 22:07:43 GMT

Here are the results from
ls -labR

what is all this stuff??

Re: weird dir ..

Sridhar Bhaskarla — Tue, 04 Sep 2001 22:11:01 GMT

The way in which it is looking is that someone is trying to access your system through ftp account probably through a browser. Unless it is required, turn off write permissions for ftp account on this box.

For what exactly this box is used?

-Sri

Re: weird dir ..

someone_4 — Tue, 04 Sep 2001 22:11:52 GMT

This box is used for a webserver.

Richard

Re: weird dir ..

Sridhar Bhaskarla — Tue, 04 Sep 2001 22:15:38 GMT

Doesn't surprize me. Obviously people are trying to do ftp://your_system and dunno there may be some CGIs in your system that are being run and causing the problem.

You can do one thing. Enable ftp logging on the box by modifying your inetd.conf file with the following

ftpd -L -v

for few days and see what the users are trying to do with your ftp home directory.

-Sri

Re: weird dir ..

Tom Danzig — Tue, 04 Sep 2001 23:55:57 GMT

Notice the seven spaces that appear to be a subdirectory of /home/ftp:

./ :
total 2
drwxr-x--- 3 ftp guest 96 Aug 23 15:09 .
drwxrwxrwx 15 root guest 1024 Sep 4 16:54 ..
drwxr-x--- 3 ftp guest 96 Aug 23 15:13 \377\377\377

The seven spaces used as a directory name under the /home/ftp directory is quite unusual. I think you've been hacked.

Re: weird dir ..

Stefan Schulz — Wed, 05 Sep 2001 05:34:22 GMT

There is somebody using your system as an ftp server for his own needs. And he/she tries also to store illegal copies of music on your system. Very interesting.

If you are interested and willing to take the risk then turn loggin on for ftp. This is always a good idea if you have a public available webserver running.

You could try to track down this "user" or you can go to the police.

But i wouldn't leave the door open too long. Check what intrucion detection systems are available.

Hope this helps.

Regards Stefan