Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This tells that the above files have been modified after the installation of coreutils. More in detail the size, checksum and modification time are changed. Most likely you will have some other strange file in the /bin directory, like rm.orig or chgrp.orig. You can check for this.
Code:
/bin/mv: ASCII text
From the above the first thing you can do is to see the content of the file, and look for any comment line which can give you information about the origin of this file. And maybe post the content, since all of us in this thread are curious at this point!
A question arise now: are you the unique administrator of this machine? Is it you who performed the installation of the operating system? You see... I doubt that these files
Code:
/bin/mv
/bin/mv.2
/bin/mv.orig
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
Or a devious method of concealing in plain sight by making it seem unlikely that it was a hacker. In other words not trying to hide it at all may be a good way to hide it!
Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
Maybe I am just not a trusting kind of person to be so suspicious.
I am always happy to learn from you experienced guys to determine the root cause of this issue.
I am the current admin of this machine, but it is not me who installed the system before. It is a new machine which is transferred to me.
Here is the content of /bin/mv, please feel free to let me know if you need more information to determine the root cause of why mv with filename containing space character is not working.
If you find the root cause, please also share with us here. :-)
This tells that the above files have been modified after the installation of coreutils. More in detail the size, checksum and modification time are changed. Most likely you will have some other strange file in the /bin directory, like rm.orig or chgrp.orig. You can check for this.
Code:
/bin/mv: ASCII text
From the above the first thing you can do is to see the content of the file, and look for any comment line which can give you information about the origin of this file. And maybe post the content, since all of us in this thread are curious at this point!
A question arise now: are you the unique administrator of this machine? Is it you who performed the installation of the operating system? You see... I doubt that these files
Code:
/bin/mv
/bin/mv.2
/bin/mv.orig
have been created with a maliciuos intent, since there is apparently no attempt to hide them. I wonder if some other administrator has intentionally suited things for his needs. Cheers!
Good imagination of the intent of the file and how hacker thinks -- seems you were hacker before? :-)
It is appreciated if you could provide some ideas of how to determine the root cause of this issue, why mv is not working with file name with space character.
Quote:
Originally Posted by jschiwal
Or a devious method of concealing in plain sight by making it seem unlikely that it was a hacker. In other words not trying to hide it at all may be a good way to hide it!
Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
Maybe I am just not a trusting kind of person to be so suspicious.
Ok. It looks like a monitor facility to trace the usage of basic linux commands. You can check if the file /var/log/sysmon/sys.log is in place. Maybe its size is huge, unless it is rotated together with the system logs. If you look the content of this log file, you will find something like
Code:
============================================================
Wed Nov 14 14:35:13 CET 2007
user: colucix
Command: /home/colucix/pluto/test/mv pippo pluto paperino
PID: 21440
UID PID PPID C STIME TTY TIME CMD
colucix 21440 21290 0 14:35 pts/4 00:00:00 bash -x script.sh pippo pluto paperino
This will tell you who and when is moving what. I don't know if it comes with a package or if it was installed by hand. I am for the second hypothesis.
If you decide to keep things are they are, you can edit the file /bin/mv and change the line
Code:
mv.orig $*
into
Code:
mv.orig "$@"
this will take care of the filenames containing blank spaces. You can see the bash manual page under the section "positional parameters" or the Advanced Bash Scripting Guide, section 9.1 for a detailed explanation.
You also can check the other commands that have been changed from the original installation of coreutils:
Maybe a hacker who is a fan of the movie "Airplane". Why not make copies of the original files, in place. "That would be the last thing they'd expect."
Here is the related description, and I have also tried that your solution works. But I am still confused what is the differences between $* and $@ after reading the book.
For $*, the book says, seen as a single word, and for $@ the book says each parameter is a quoted string, that is, the parameters are passed on intact. Looks like $* and $@ are the same, right?
--------------------
$*
All of the positional parameters, seen as a single word
$@
Same as $*, but each parameter is a quoted string, that is, the parameters are passed on intact, without interpretation or expansion. This means, among other things, that each parameter in the argument list is seen as a separate word.
--------------------
Quote:
Originally Posted by colucix
Ok. It looks like a monitor facility to trace the usage of basic linux commands. You can check if the file /var/log/sysmon/sys.log is in place. Maybe its size is huge, unless it is rotated together with the system logs. If you look the content of this log file, you will find something like
Code:
============================================================
Wed Nov 14 14:35:13 CET 2007
user: colucix
Command: /home/colucix/pluto/test/mv pippo pluto paperino
PID: 21440
UID PID PPID C STIME TTY TIME CMD
colucix 21440 21290 0 14:35 pts/4 00:00:00 bash -x script.sh pippo pluto paperino
This will tell you who and when is moving what. I don't know if it comes with a package or if it was installed by hand. I am for the second hypothesis.
If you decide to keep things are they are, you can edit the file /bin/mv and change the line
Code:
mv.orig $*
into
Code:
mv.orig "$@"
this will take care of the filenames containing blank spaces. You can see the bash manual page under the section "positional parameters" or the Advanced Bash Scripting Guide, section 9.1 for a detailed explanation.
You also can check the other commands that have been changed from the original installation of coreutils:
I have tried $@ works. But after reading the advanced Bash-Scripting guide section 9.1, I am still confused. What is the differences between $@ and $* (after reading the book, I can not tell the exact differences)? Could you see my post in #25 and comment please?
Quote:
Originally Posted by jschiwal
Yes, the script logs information about every mv command. That would make it easier reverse mistakes.
I ran a test program to test whether this was right:
Code:
cat >test
echo "$@"
echo "$1" "$2"
./showargs "$*"
./showargs "$@"
[jschiwal@delllap ~]$ cat >showargs
echo ":$1:$2:$3:$4:"
[jschiwal@delllap ~]$ chmod +x test showargs
[jschiwal@delllap ~]$ ./test abc d\ e fgh
abc d e fgh
abc d e
:abc d e fgh::::
:abc:d e:fgh::
I was afraid embedded whitespace might cause a problem but I was wrong. Passing "$@" will work.
And, no, I was never a hacker. I just read on what to look out for. Recompiling basic commands on the system is one thing in their bag of tricks.
Suppose you have the arguments: a b "c d" "d e f".
"$@" will have 4 arguments: a, b, c d, d e f
$* will split them up into 7 separate arguments, while "$*" will join them into one argument with 7 letters and 6 spaces.
I'll use the "set" command to demonstrate. Enter "set <arguments>" will set the current shell arguments, so you can test things out interactively instead of having to write a script and calling it.
Code:
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> echo "$@"
a b c d e f g
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c d
jschiwal@hpamd64:~> echo $4
e f g
jschiwal@hpamd64:~> set "$@"
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c d
jschiwal@hpamd64:~> echo $4
e f g
jschiwal@hpamd64:~> echo "$@"
a b c d e f g
jschiwal@hpamd64:~> set "$*"
jschiwal@hpamd64:~> echo $1
a b c d e f g
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> set $*
jschiwal@hpamd64:~> echo $1
a
jschiwal@hpamd64:~> echo $2
b
jschiwal@hpamd64:~> echo $3
c
jschiwal@hpamd64:~> echo $4
d
jschiwal@hpamd64:~> set a b 'c d' 'e f g'
jschiwal@hpamd64:~> set "$*"
jschiwal@hpamd64:~> echo $1
a b c d e f g
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
