After an intruder owned your machine he will probably try to hide himself. He may use some rootkit (like adore) to make some files invisible when you do ls. However, such files can be detected if you had a tool that can read raw device and parse the filesystem by itself, without using kernel to do that. Such tool exists: debugfs. I wrote a little script that recursively lists content of some directory, first using ls, then using debugfs. If it finds any files that ls can't see, it outputs their names.

You can download this script. Use it like that:
# ./look_for_hidden_files.pl /dev/hda1 /home/user

Known problems:

• program behaves strangely (lists some files which are in fact not hidden) if there is a directory with name ' ' (space).

back to the main