The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Monday, March 26, 2007

Notes on what geeks find interesting

I've been using Linux for over twelve years now, and I'm still learning it.

Today, Wlofie and I spent a few hours doing Stupid Shell Tricks under Linux—stuff like naming files “ ‥ ” (that's space period period space or even “ . * & ! prang” (that's space period space asterisk space ampersand space explanation point space "prang") or even “-rf *”—names that give the Unix shell fits (or naive users fits trying to get rid of such files).

From there, we ventured into the territory that crackers use to hide their activities under Unix systems. One such trick is the following command:

GenericUnixPrompt> hacker_tool || rm -rf ./

Kill the running hacker_tool process and all the files are removed. A process listing will only show the hacker_tool running. A smart cracker will zap or munge the history file of the shell. So that's a pretty hard thing to detect.

Another trick a cracker will do to make things difficult is:

GenericUnixPrompt> hacker_tool &
[1] 4532
GenericUnixPrompt> /bin/rm hacker_tool

This starts the hacker_tool, then the executable is removed. The program still runs since the code is in memory, but there's no way to actually recover the executable.

Or so I thought.

Wlofie showed me this though (at least, under Linux):

GenericUnixRootPrompt# cd /proc/4532
GenericUnixRootPrompt# cp exe /tmp/recovered_executable_file
	# or alternatively
GenericUnixRootPrompt# dd if=exe of=/tmp/recovered_execuable_file

Ah, the things geeks find interesting.

Obligatory Picture

[It's the most wonderful time of the year!]

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: http://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

http://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2019 by Sean Conner. All Rights Reserved.