Solved

unknown directory in root partition

Posted on 2004-04-20
31
325 Views
Last Modified: 2010-04-20
One of my friend's place is having a problem.
they have a linux box as mail/proxy server having two interfaces one is connected to a
private wireless network which is having a router that can be connected to other private
networks. The another interface is connected to their internal LAN. now on
that server they found an auto created directory (with ... name) in root partition which they suspect
as sniffing one and this directory eats up the whole root partition.
thats all they know in this current situation.

can anybody tell me what could be the reason behind the creation of this surprising directory.
is the system hacked or any vulnerability causing this problem.
and is it possible that the directory is doing some sniffing there in root partition.

I would like to know all the possibilities for this auto creation of directory
and also how to overcome this problem.is there any other info available on net for this particular issue.
Please  help...

Thanks in advance,
mavenr
0
Comment
Question by:mavenr
  • 10
  • 7
  • 6
  • +2
31 Comments
 
LVL 8

Expert Comment

by:da99rmd
Comment Utility
You have to give some more detailed info about the dir.
I need to know the name and whats in the directory, create date mm. and do a
ps axfu.
To check if there is any suspisous processes executing.

/Rob
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
Comment Utility
If you suspect that the system is hacked, take if off the network immediately!
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
Comment Utility
If the directory name is really "...", try to find out what's in this directory:
ls -la ...

What does this list?
0
 

Author Comment

by:mavenr
Comment Utility
the directory doesn't have any proper name it has only dots (....)  as name after the only thing they found was the root partition was getting full.. is it a worm or anything else. do you have any idea about any worm/virus which fills up hard disk..?

please reply

Thanks
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
Comment Utility
You can find some more information in the comp.os.linux.security FAQ: http://www.geocities.com/swan_daniel/colsfaq.html#5.4

0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
Comment Utility
Even though the directory has only dots as name, this is still a proper name. You can go into this directory and look around. This document has some information about how to find out if your system really was compromised: http://www.cert.org/tech_tips/intruder_detection_checklist.html
0
 
LVL 8

Expert Comment

by:da99rmd
Comment Utility
ps axfu.
To check if there is any suspisous processes executing.

/Rob
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
Comment Utility
Do the "ps axfu", but chances are that this will not tell you anything about what's going on with this system. The first thing I would do if I wanted to write a worm is to give it a name that does not stick out in the process list. I have 141 processes running on my system, and most of them look suspicious because I did not start them (I know of course what they are, but to the normal user they will look suspicious).
You may get lucky, but following the steps in the CERT checklist is a more thorough  way to analyze your system.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
... The second thing would be replace ps with a hacked version that don't display the "outsticking" process... Standard feature of many rootkits in the past.

The only real reasons for panic here are: Someone has created a directory named "..." or similar... This usually is done so that you don't make note of it, even if you "ls -a" in the directory... And you are "loosing diskspace" on the root partition... This in itself is really just another symptom, not a cause for panic itself.
Examine:
ls -laR ...*
du ...*
... and all the things from above...

One (legal) reason for funky filenames/dirnames would of course be filesystem corruption... and this would also probably look like avalable space is shrinking... So while you've got the machine sequestered for hacker diagnosis, do an fsck too.

-- Glenn
0
 
LVL 8

Accepted Solution

by:
da99rmd earned 43 total points
Comment Utility
But then you use this tool/script which most crackers dont know you are trying to use there for will not be tampered.

#!/bin/bash
ls -l /proc/[0-9]*/exe 2> /dev/null | awk '{ if($ 11 != "")print $ 11 }'
# End

It works like ps but run it as root.

/Rob
0
 

Expert Comment

by:AlbertALD
Comment Utility
Hi

I don't want to insult anyone's intelligence but, are you sure that the dots don't just indicate the upper level of the directory heirarchy ? How many dots is it, 2 ? If so it's probably supposed to be there because it represents the "directory" above /root.

As for disk space, I would suggest you check your log files first, before you consider the posibility of a hacker. eg. /var/log

Interested in the outcome of this.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Yes Rob, or simpler perhaps is to use a liveCD like knoppix to inspect the system... no ambiguity as to tool status:-).

AlbertALD, sure it's worth mentioning, but should we not trust mavenrs report so far? Sure s/he has mentioned a varying amount of dots, but...:-).

-- Glenn
0
 
LVL 8

Expert Comment

by:da99rmd
Comment Utility
Who owns the dir root ?

/Rob
0
 

Author Comment

by:mavenr
Comment Utility
Hi,

the directory has 4 dots in the name ....

Glenn had suggested to run fsck in his previous post. i think that also makes sense because that system already had some problems with filesystem due to power fluctuation. they have ran e2fsck 3/4 times within last 8/10 months. i am not sure whether it is filesystem or worm that is causing this trouble. can anyone please tell me more about that filesystem corruption point what happens exactly? is it possible that the directory can take the whole hard disk space if the filesystem is corrupted ??

as i told you that machine is being used as mail server....the users were not able to access their mails through webmail but they can access through outlook express or eudora.

and also the admin cannot login from the console but he can ssh to the system from remote.

does anyone has any views on worms in linux that cause this kind of problems?  


Thanks
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 20

Assisted Solution

by:Gns
Gns earned 41 total points
Comment Utility
Well, filesystem corruption means just that: The filesystem has some faults/flaws that makes it... unreliable. This means that the stuctures making up the filesystem "don't fit together" as they should. So you might have strangely named files/directories, files containing less than they should, space "locked" to "non-existant" files/inodes .... and intermittent->complete failure of any tools that try access the affected filesystem.
So yes, this could well be the case here.

But a malicious hacker might mess up a system in pretty much the same way.

So one needs take this system "offline" (not necessarily disconnect the LAN, but direct the production workload to another machine) ASAP and start looking at it... If files look ... jumbled ... in /etc, then perhaps do an fsck of the filesystem containing it etc.

Your friend is looking at a new install, in all probability, so it might be a good idea to do that to another machine, and make an "inplace switch"... Maining the new machine takes the old ones name&address&workload. And use some fairly recent distro version on the new one... Makes the transfer of data more problematic, but ensures that you have all the latest bug/security fixes.

When the switch has been made, then you'll have loads of time to inspect it... Even though you _could_ just bring it offline and boot some knoppix or similar, without the migration to other machine... You'd have users breathing down your neck the whole time... Probably using foul language too;-).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh, One common reason for filesystem damage is failing hardware. It might be failing in such a way that you wouldn't see any logentries... Just the damage:-(
Yet another reason to get another box:-).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Among other typos: "Maining the new machine ..." -> "Meaning the new machine ..."

-- Glenn (a.k.a. Le Grand Typo)
0
 

Author Comment

by:mavenr
Comment Utility
I suspect on filesystem corruption the reason is there were frequent power fluctuations happening at that site and as i told you that the admin cannot login from console but he can ssh from  remote machine that was also seen immediately after the power failure

can anyone explain how this can happen??

need you inputs

Thanks
0
 

Author Comment

by:mavenr
Comment Utility
one more query ..... is it really possible that the private wireless networks can have this kind of problems that somebody gets in and create problems for others?

please reply

Thanks
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
> can anyone explain how this can happen??
Unflushed buffers->powerfail->corrupt fs... For non journaling fs at least.
With a journaling fs, this is less likely... But if (for some reason) the journal has become corrupted (through bug or HW malfuntion), at least ext3 will "complain and fall back to ext2 behaviour".... Meaning you could still get metadata corruption.
... Or was it something else you wanted explained?

> one more query ..... is it really possible that the private wireless networks can have this kind of problems that somebody gets in and create problems for others?
Well... regardless of the _link security_, it is still a LAN, with some form of "WAN link to Internet", right? So the normal threats apply there...
And if (for some reason) one have missconfigured the wlan... Then you don't have link security either...
In "threadful" LANs you'd look to the physical link (the actual CAT5 cables) for link security... Perhaps restricting access to the building, perhaps having the cable in "see-through" tubes etc. The security features of the wlan is there to give you pretty much the same type of thing... And done right it'll even provide better (in some ways) link security. But that is all.
You still need bastions (firewalls etc) to protect you from evilness;-).

-- Glenn
0
 

Author Comment

by:mavenr
Comment Utility
can you please tell me how the corrupted filesystem behaves?
Thanks,
Pravin

0
 

Author Comment

by:mavenr
Comment Utility
the system i am talking about is having ext2fs file on suse linux 7.1
0
 
LVL 44

Assisted Solution

by:Karl Heinz Kremer
Karl Heinz Kremer earned 41 total points
Comment Utility
A corrupted file system can have a lot of symptoms. You will probably see error message on your console about failed read and write operations. It is possible that programs you try to run will crash or show other strange behavior, because corrupted code was loaded and executed. You may see strange crashes because a program is trying to read or write data without sufficient error checking. You may see strange file names, you may see directories containing just garbage, directories containing themselves, ...

0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
WTF, I made a _long_ comment on this yesterday, and .... well, obviously I didn't submit it... or EE dropped it (in a new "contentfilet-Gns->/dev/null style:-):-). Oh well.
Thanks Karl Heinz for providing the gist of it ... Which is: One really cannot say what the symptoms will be.. because they depend on what filesystem is corrupted, and in what way.

Since your friend is using ext2, the relevant passage from above is:
> Unflushed buffers->powerfail->corrupt fs...
Because it does not "journalize" metadata changes.... (That is: a journaled filesystem will enter any changes to "data about the data" into a log (or journal ... There is a difference between "loging filesystems" and "journaling filesystems" that we really don't need look at now:-) in a safe manner before commiting changes to the actual filesystem structures... Ensuring fast recovery time ... just replay the log (containing only completed writes) instead of the guesswork of fsck) ... it is very likely to become corrupt at a power failure.

Your friend would do best to look at moving to a more recent SuSE (or ... any distro:-), that will offer a wide variety of different journaling filesystems... ReiserFS, XFS, JFS and (of course... backwards compatible with ext2) Ext3. Probably worst performance, but perhaps easiest to start with would be ext3.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
"contentfilet-Gns->/dev/null style
should've been
"contentfilter-Gns->/dev/null" style

-- Glenn (a.k.a. Le Grand Typo)
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
Comment Utility
Any recent SuSE version will default to reiserfs, but will work without any problems if you use ext3.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Thought they might... Wasn't sure though. And from a performance perspective (amongst other things:-) ReiserFS is very good.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
This should be a split.... You decide which should partake in the split:-):-).... Nah, I think that I, KarlHeinz and possibly Rob should be included. Exactly which way, you get to decide though:-)

-- Glenn
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now