LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How can I hide a file from ls -a? (http://www.linuxquestions.org/questions/linux-security-4/how-can-i-hide-a-file-from-ls-a-496229/)

enigma_0Z 10-27-2006 08:03 PM

How can I hide a file from ls -a?
 
How can I hide files in an ext2/3 file system from ls -a and friends? I know about renaming the file to ".foo", but I want to do more than that--prevent listing together

chadl 10-27-2006 09:12 PM

Only use this when you have the legal right to: for example, you own the system. Otherwise, this is a very nasty thing to do, and quite likely illegal

There is a really strange way to do this... but it is a hack, and can cause problems to find your files again, and a very, very, very alert sysadmin could find this file, and then would know that something is up, as this is just about the only case where such a situation would exist.

1)Make a normal file... "touch test"
2)Make a process that will keep the file open forever (if this program stops, then the file will be gone) (see the example c++ program below)
Run the program in a way such as "nohup ./keepopen&" as this will give you the process number, and you can log-out and it will not die.
3)run "unlink test"
---At this point, your file will not show up in ls -a---
4)Run "cat /proc/<process id>/fd/3" to read your file, where process id is the process id of the program that is keeping the file open (when you come back sometime later)

Downsides to this:
1) When the system restarts, your file goes away.
2) If the process you are using to keep the file open goes away, so does the file.
3) My systems all scan for files like this... by looking at the output of the file command that says deleted file. Any systems that I lock-down do this also. I would bet I am the only one, however. Note to other SysAdmins out there: You really should scan for things like this.

In many cases, if the program you want to use outputs text (for example a logging program), then you can just use that program, and you do not need your own. However, if you want to keep some text around that nobody can see, try this program (just compile it):
Code:

#include <iostream>
#include <fstream>
using namespace std;

int main() {
        ofstream keepopen;
        keepopen.open("test",ios::app);
        while(true)
        {
                usleep(1000000);
        }
}


If someone thinks that this is too close to hacking to be allowed around here, feel free to delete the post, or tell me to delete it. I am not really sure where to draw the line on something like this, as it half seems like hacking, and half seems like a strange, but OK thing to do. Any ideas?

David the H. 10-28-2006 01:26 AM

You can put the files in a directory and remove all read permissions from that directory. Then any attempt to look into it will give you a "permissions denied" error instead of a listing. You won't be able to hide the directory itself though, only the files it holds.

jayjwa 10-28-2006 08:05 AM

Look into a little utility called "bmap" and slack-space. I'm not sure if works on ext3, though...

http://www.cs.utsa.edu/~jcochett/gra...-1.0.17.tar.gz

Standard disclaimers apply. If it breaks your disk in half you get to keep both pieces.

unSpawn 10-28-2006 11:47 AM

How can I hide files in an ext2/3 file system from ls -a and friends?
Any particular reason why you would want this?


I think the opened file is a nice one. but
3) My systems all scan for files like this... by looking at the output of the file command that says deleted file. Any systems that I lock-down do this also. I would bet I am the only one, however. Note to other SysAdmins out there: You really should scan for things like this.
this functionality was added to Rootkit Hunter 1.2.9 and has been in Tiger for years.


Hiding in slack space is cool but Bmap didn't work for me on Ext3. Oh well. Other ways could be blocking access with a with SELinux or GRSecurity RBAC rule (reboot w/o ruleset), piggybacking the file to another one by catting it, using steganography or as ELF section (check hash), using some PRELOAD (unset if account rights) or using an LKM.

enigma_0Z 10-28-2006 01:17 PM

I thought there was a way to hide files with chattr...

unSpawn 10-29-2006 05:38 AM

I thought there was a way to hide files with chattr...
In your case reading the man page would be better.

enigma_0Z 10-29-2006 09:57 AM

... yeah, before anyone else says it, I did RTFM.

It was when I was just learning linux (several years ago), and I thought there was an easy way to hide files like that.

unSpawn 10-29-2006 12:42 PM

Well mr Watson, since you said you read the fine manual, pray tell, what extended attribute provides (or did provide several years ago) this feature?

enigma_0Z 10-30-2006 10:42 AM

Quote:

Originally Posted by unSpawn
Well mr Watson, since you said you read the fine manual, pray tell, what extended attribute provides (or did provide several years ago) this feature?

I don't remember. It probably wasn't an extended attribute. It was a long time ago. This thread can be closed. All that I remember is that there was an extended attribute that was really cool. I thought that it was hiding a file. It was probably the immutable flag though.

I just want to reiterate that this was a very long time ago. I was probably just confused about what I was doing.

unSpawn 10-30-2006 12:32 PM

I don't remember.
My reply was actually a hint to reread that man page. You'd have found there *is* and *was* no extended attribute to hide files.


This thread can be closed.
It sure won't be closed. Threads are closed when they violate LQ Rules or are about to go nuclear.

makix 10-31-2006 11:20 AM

İnteresting way of hiding (that with c++).How can i learn more about this..

theYinYeti 10-31-2006 12:29 PM

If you're the owner of the machine, and it runs Linux, and you know how to compile a kernel, you may look at the gobohide kernel patch, from the GoboLinux distribution:
http://www.gobolinux.org/index.php?p...icles/gobohide

Yves.


All times are GMT -5. The time now is 01:15 PM.