HPE Community
Operating System - HP-UX
1834648 Members
2799 Online
110069 Solutions
New Discussion

weird dir ..

 
SOLVED
Go to solution
someone_4
Honored Contributor

‎09-04-2001 02:31 PM

‎09-04-2001 02:31 PM

weird dir ..

When I do
# ls -alb
total 0
drwxr-x--- 4 ftp guest 96 Aug 27 11:20 .
drwxr-x--- 3 ftp guest 96 Sep 4 17:29 ..
drwxr-x--- 3 ftp guest 96 Aug 27 11:08 \377\377\377
drwxr-x--- 3 ftp guest 96 Aug 27 11:20 \377\377\377\377\377\3
77
# cd \377\377\377
sh: 377377377: not found.

but ll
i dont see the \337
how do I get into theese dir?
Someone it looks like someone is storing mp3s in there. Does anyone have any idea on how that dir got there?

Richard
0 Kudos
Reply
9 REPLIES 9
Sridhar Bhaskarla
Honored Contributor

‎09-04-2001 02:37 PM

‎09-04-2001 02:37 PM

Solution

Re: weird dir ..

Richard,

Try this way.

cd \\377\\377\\377.

Note this extra
-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Bill Hassell
Honored Contributor

‎09-04-2001 02:43 PM

‎09-04-2001 02:43 PM

Re: weird dir ..

The directories were created by a version of ftp that allows virtually any character to be used in the name. Since 377 octal is an all 1's character, this is highly suspicious as if someone is trying to hide the contents. Most likely:

ls -labR

will show all the directories and their contents. You might want to assume you have an intruder until proven otherwise.


Bill Hassell, sysadmin
Reply
Sanjay_6
Honored Contributor

‎09-04-2001 02:46 PM

‎09-04-2001 02:46 PM

Re: weird dir ..

Hi Richard,

We earlier had a similar discussion regarding a weird file. Have a look. Are we looking at a virus on HP-UX ???.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0x5b8f5220af9bd5118ff10090279cd0f9,00.html

Thanks
0 Kudos
Reply
someone_4
Honored Contributor

‎09-04-2001 03:07 PM

‎09-04-2001 03:07 PM

Re: weird dir ..

Here are the results from
ls -labR

what is all this stuff??

0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-04-2001 03:11 PM

‎09-04-2001 03:11 PM

Re: weird dir ..

The way in which it is looking is that someone is trying to access your system through ftp account probably through a browser. Unless it is required, turn off write permissions for ftp account on this box.

For what exactly this box is used?

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
someone_4
Honored Contributor

‎09-04-2001 03:11 PM

‎09-04-2001 03:11 PM

Re: weird dir ..

This box is used for a webserver.

Richard
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-04-2001 03:15 PM

‎09-04-2001 03:15 PM

Re: weird dir ..

Doesn't surprize me. Obviously people are trying to do ftp://your_system and dunno there may be some CGIs in your system that are being run and causing the problem.

You can do one thing. Enable ftp logging on the box by modifying your inetd.conf file with the following

ftpd -L -v

for few days and see what the users are trying to do with your ftp home directory.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Tom Danzig
Honored Contributor

‎09-04-2001 04:55 PM

‎09-04-2001 04:55 PM

Re: weird dir ..

Notice the seven spaces that appear to be a subdirectory of /home/ftp:

./ :
total 2
drwxr-x--- 3 ftp guest 96 Aug 23 15:09 .
drwxrwxrwx 15 root guest 1024 Sep 4 16:54 ..
drwxr-x--- 3 ftp guest 96 Aug 23 15:13 \377\377\377

The seven spaces used as a directory name under the /home/ftp directory is quite unusual. I think you've been hacked.
Reply
Stefan Schulz
Honored Contributor

‎09-04-2001 10:34 PM

‎09-04-2001 10:34 PM

Re: weird dir ..

There is somebody using your system as an ftp server for his own needs. And he/she tries also to store illegal copies of music on your system. Very interesting.

If you are interested and willing to take the risk then turn loggin on for ftp. This is always a good idea if you have a public available webserver running.

You could try to track down this "user" or you can go to the police.


But i wouldn't leave the door open too long. Check what intrucion detection systems are available.

Hope this helps.

Regards Stefan
No Mouse found. System halted. Press Mousebutton to continue.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.