My server was hacked by internet hackers.
The server hides any files or folders with name pattern *system-sleep*
from the ls
/find
command. I can use some commands like chmod
to the hidden folder. But when I create any folder or file with same name/path pattern, it gets hidden.
I am curious about how could they do that? I have reviewed the bashrc
files, they did not do anything like adding --ignore
option to ls
.
答案1
They may have loaded a kernel module that hooks into the processing of the getdents()
system call and removes matching directory entries from the results before they are returned to the userspace.
Using the insmod
command, such a kernel module can be loaded from a non-default location, and it can also be deceptively named. It might also hide itself from the lsmod
listing in much the same way: by hooking into the part of the kernel that produces the listing and removing its own name from it before passing the information onward.