LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-27-2006, 08:03 PM   #1
enigma_0Z
Member
 
Registered: Apr 2005
Distribution: Ubuntu, RHEL, Darwin
Posts: 73

Rep: Reputation: 15
How can I hide a file from ls -a?


How can I hide files in an ext2/3 file system from ls -a and friends? I know about renaming the file to ".foo", but I want to do more than that--prevent listing together
 
Old 10-27-2006, 09:12 PM   #2
chadl
Member
 
Registered: Sep 2005
Location: US
Distribution: Gentoo AMD64 Testing
Posts: 129

Rep: Reputation: 16
Only use this when you have the legal right to: for example, you own the system. Otherwise, this is a very nasty thing to do, and quite likely illegal

There is a really strange way to do this... but it is a hack, and can cause problems to find your files again, and a very, very, very alert sysadmin could find this file, and then would know that something is up, as this is just about the only case where such a situation would exist.

1)Make a normal file... "touch test"
2)Make a process that will keep the file open forever (if this program stops, then the file will be gone) (see the example c++ program below)
Run the program in a way such as "nohup ./keepopen&" as this will give you the process number, and you can log-out and it will not die.
3)run "unlink test"
---At this point, your file will not show up in ls -a---
4)Run "cat /proc/<process id>/fd/3" to read your file, where process id is the process id of the program that is keeping the file open (when you come back sometime later)

Downsides to this:
1) When the system restarts, your file goes away.
2) If the process you are using to keep the file open goes away, so does the file.
3) My systems all scan for files like this... by looking at the output of the file command that says deleted file. Any systems that I lock-down do this also. I would bet I am the only one, however. Note to other SysAdmins out there: You really should scan for things like this.

In many cases, if the program you want to use outputs text (for example a logging program), then you can just use that program, and you do not need your own. However, if you want to keep some text around that nobody can see, try this program (just compile it):
Code:
#include <iostream>
#include <fstream>
using namespace std;

int main() {
        ofstream keepopen;
        keepopen.open("test",ios::app);
        while(true)
        {
                usleep(1000000);
        }
}

If someone thinks that this is too close to hacking to be allowed around here, feel free to delete the post, or tell me to delete it. I am not really sure where to draw the line on something like this, as it half seems like hacking, and half seems like a strange, but OK thing to do. Any ideas?

Last edited by chadl; 10-27-2006 at 09:47 PM.
 
Old 10-28-2006, 01:26 AM   #3
David the H.
Bash Guru
 
Registered: Jun 2004
Location: Osaka, Japan
Distribution: Debian sid + kde 3.5 & 4.4
Posts: 6,823

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
You can put the files in a directory and remove all read permissions from that directory. Then any attempt to look into it will give you a "permissions denied" error instead of a listing. You won't be able to hide the directory itself though, only the files it holds.
 
Old 10-28-2006, 08:05 AM   #4
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Look into a little utility called "bmap" and slack-space. I'm not sure if works on ext3, though...

http://www.cs.utsa.edu/~jcochett/gra...-1.0.17.tar.gz

Standard disclaimers apply. If it breaks your disk in half you get to keep both pieces.
 
Old 10-28-2006, 11:47 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
How can I hide files in an ext2/3 file system from ls -a and friends?
Any particular reason why you would want this?


I think the opened file is a nice one. but
3) My systems all scan for files like this... by looking at the output of the file command that says deleted file. Any systems that I lock-down do this also. I would bet I am the only one, however. Note to other SysAdmins out there: You really should scan for things like this.
this functionality was added to Rootkit Hunter 1.2.9 and has been in Tiger for years.


Hiding in slack space is cool but Bmap didn't work for me on Ext3. Oh well. Other ways could be blocking access with a with SELinux or GRSecurity RBAC rule (reboot w/o ruleset), piggybacking the file to another one by catting it, using steganography or as ELF section (check hash), using some PRELOAD (unset if account rights) or using an LKM.
 
Old 10-28-2006, 01:17 PM   #6
enigma_0Z
Member
 
Registered: Apr 2005
Distribution: Ubuntu, RHEL, Darwin
Posts: 73

Original Poster
Rep: Reputation: 15
I thought there was a way to hide files with chattr...
 
Old 10-29-2006, 05:38 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
I thought there was a way to hide files with chattr...
In your case reading the man page would be better.
 
Old 10-29-2006, 09:57 AM   #8
enigma_0Z
Member
 
Registered: Apr 2005
Distribution: Ubuntu, RHEL, Darwin
Posts: 73

Original Poster
Rep: Reputation: 15
... yeah, before anyone else says it, I did RTFM.

It was when I was just learning linux (several years ago), and I thought there was an easy way to hide files like that.
 
Old 10-29-2006, 12:42 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Well mr Watson, since you said you read the fine manual, pray tell, what extended attribute provides (or did provide several years ago) this feature?
 
Old 10-30-2006, 10:42 AM   #10
enigma_0Z
Member
 
Registered: Apr 2005
Distribution: Ubuntu, RHEL, Darwin
Posts: 73

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn
Well mr Watson, since you said you read the fine manual, pray tell, what extended attribute provides (or did provide several years ago) this feature?
I don't remember. It probably wasn't an extended attribute. It was a long time ago. This thread can be closed. All that I remember is that there was an extended attribute that was really cool. I thought that it was hiding a file. It was probably the immutable flag though.

I just want to reiterate that this was a very long time ago. I was probably just confused about what I was doing.
 
Old 10-30-2006, 12:32 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
I don't remember.
My reply was actually a hint to reread that man page. You'd have found there *is* and *was* no extended attribute to hide files.


This thread can be closed.
It sure won't be closed. Threads are closed when they violate LQ Rules or are about to go nuclear.

Last edited by unSpawn; 10-30-2006 at 12:34 PM.
 
Old 10-31-2006, 11:20 AM   #12
makix
LQ Newbie
 
Registered: Apr 2005
Distribution: fedora
Posts: 16

Rep: Reputation: 0
İnteresting way of hiding (that with c++).How can i learn more about this..
 
Old 10-31-2006, 12:29 PM   #13
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 61
If you're the owner of the machine, and it runs Linux, and you know how to compile a kernel, you may look at the gobohide kernel patch, from the GoboLinux distribution:
http://www.gobolinux.org/index.php?p...icles/gobohide

Yves.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hide X tux06 Debian 7 10-14-2006 12:25 PM
Can i hide a file with bmap???? DropSig Linux - Security 3 01-29-2006 06:32 AM
idea to hide encrypted file system on audio cd ? qwijibow Linux - Security 2 09-13-2004 08:53 PM
How do you hide your IP in Linux? javaarmy Linux - General 2 09-24-2003 09:25 AM
Hide icons? TravisB Linux - General 0 05-02-2002 11:34 AM


All times are GMT -5. The time now is 11:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration