Hacker hid folder/file with name pattern from Linux ls

Hacker hid folder/file with name pattern from Linux ls

My server was hacked by internet hackers.

The server hides any files or folders with name pattern *system-sleep* from the ls/find command. I can use some commands like chmod to the hidden folder. But when I create any folder or file with same name/path pattern, it gets hidden.

I am curious about how could they do that? I have reviewed the bashrc files, they did not do anything like adding --ignore option to ls.

答案1

They may have loaded a kernel module that hooks into the processing of the getdents() system call and removes matching directory entries from the results before they are returned to the userspace.

Using the insmod command, such a kernel module can be loaded from a non-default location, and it can also be deceptively named. It might also hide itself from the lsmod listing in much the same way: by hooking into the part of the kernel that produces the listing and removing its own name from it before passing the information onward.

相关内容