debugfs ls / ls -l / ls -d is not very useful for hacked fs
Brought to you by:
tytso
Menu
▾
▴
#12 debugfs ls / ls -l / ls -d is not very useful for hacked fs
migrated from redhat.com
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149480
adding an option to ls to produce a parsable output (-p)
while working with a compromized system (suckit root kit)
hidden files were viewable by debugfs but not any other
utility.
when spaces and tabs were put into the directory names
defugfs did
not "show" them.
ie: /var/cache/ /hiddenfiles
(8 spaces)
ls -p
quotes the output so is can be parsed easily.
/inode/mode/uid/gid/name/size/
ie:
#debugfs /dev/hdc3 -R 'ls -p "/tmp"' 2> /dev/null
/11157571/100644/0/0/kernel-2.4.18-3.i386.rpm/11889996/
/11157526/100600/48/48/sess_4883287ea7160ef4773efb54
688c4885/0/
/11157566/100600/48/48/sess_cc8994e4ff8928e75890d228
f3e6d29d/0/
/11157565/100666/56672/616/.303.461f0a/5/
/11157569/100644/549/555/d.tgz/15045/
/11157614/100644/0/0/db4-4.1.25-8.src.rpm/3365800/
/11157568/100644/0/0/crontabs-1.10-1.noarch.rpm/4188/
/11157573/100644/0/0/krbafs-utils-1.1.1-1.i386.rpm/20086/
/11157570/100644/0/0/initscripts-6.67-1.i386.rpm/628134/
/11157572/100644/0/0/krbafs-1.1.1-1.i386.rpm/23597/
/11157574/100644/0/0/list.lst/1516/
parsable patch
rpm specfile e2fsprogs.spec
Logged In: YES
user_id=628
Originator: NO
Thaanks for this suggestion. This enhancement will be in the next major release of e2fsprogs (1.41).