Re: Duplicate '..' in /lib

From: J Troy Piper (
Date: Mon Jul 16 2001 - 03:16:56 EST

> As it turns out, the extraneous '..' is actually a file. I did a rm ..*,
> which left the original .. directory alone but removed the .. file. Did a
> e2fsck on reboot, no problems found.

Yes, good to remove the file, but now my main concern is that your system
may have been compromised as the old ".." dir-not-really file entry may
have other connotations. It is definately a possibility of a cracked
system (as the .. file appears in many new r00tkit type exploits.) i would
do some extensive forensics on the machine in question. are there new
entries in /etc/passwd or /etc/shadow that shouldn't be there?

DISCLAIMER - I am not insisting your machine was compromised, but why be
lax about it? Check the system in every way possible to determine if
someone has cracked and installed a r00tkit on your box. just getting rid
of the single .. entry may not be enough. look for other suspicious
files, keep copies of them before deleting the ones available to the
public in /lib or /usr or whatever, and check out any suspicious files
that were created/modified/accessed in the same window (5 or 6 minuites)
as the double .. entry in /lib

it sounds to me like someone MAY have been trying to replace system lib
files, or even perhaps load malicious kernel code in modules. at my job,
this system would be immediately taken off the 'production line' until a
thorough examination/investigation can be done. check logins around the
ctime of the original .. creation and compare with who was logged in etc

this may be nothing, it may be a nasty kernel bug, or it may be malicious
hackers attampting to pull the wool over your eyes.

be PARANOID in any situation in which your machine MAY have been
compromised and persue the forensic evidence until you hit a titanium
wall (a brick wall can be easily broken down).

If you have no idea where to go from here, send me email logs of what has
been found and i will give it my best shot at determining whether this is
a kernel bug (which i would assume would've been caught and dealt with by
now), or a nasty attack involving a rootkit, so the 'attackers' can regain
access to the system.

Start with "netstat --inet -a" and see if you find any open ports that
shouldn't be open. That would be the first indication of a rootkit that
allows the rootkitter (person installing the rootkit) to regain access to
the system even after it has been 'locked down'.

rootkits are well know for leaving SEVERAL backdoors so that if one is
found, the attacker still has multiple ways to re-enter and re-penetrate
the system.

J Troy Piper

PS - sorry about the FUD slam about 'the evil cracker' but we all know they DO exist, and the weaker the admin, the easier it is to take advantage of the systems under the admin's control.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to More majordomo info at Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Jul 23 2001 - 21:00:06 EST