[SOLVED] ls as root tries to execute all filenames in directory

dioltas · 2010-10-14 21:50:42

Bit of a weird one. As root, when I "ls" it tries to execute all the filenames in the directory.
/bin/ls works fine.

Been like this for a while, but finally decided to do something about it! Google didn't help me much.

$ ls
echo  touch
$ touch ls
$ touch wtf
$ ls
echo  ls  touch  wtf
$ touch thisisweird
$ ls
echo  ls  thisisweird  touch  wtf
$ su
Password: 
# ls

echo  ls  thisisweird  touch  wtf
bash: thisisweird: command not found
touch: missing file operand
Try `touch --help' for more information.
bash: wtf: command not found
# rm ls
# ls

echo  thisisweird  touch  wtf
bash: thisisweird: command not found
touch: missing file operand
Try `touch --help' for more information.
bash: wtf: command not found
# /bin/ls
echo  thisisweird  touch  wtf
# whereis ls
ls: /bin/ls /usr/share/man/man1/ls.1p.gz /usr/share/man/man1/ls.1.gz
#

Same thing whether I su to root or login as root.

The folder whose files it executes seems to be the folder I su from as a normal user, or if I login as root, then a random folder I may have been working in in the past.

Any ideas?

Last edited by dioltas (2010-10-16 12:01:16)

ewaller · 2010-10-14 23:04:47

What do these commands yield for you?

ewaller@odin:~[125] 1038 %which ls
ls: aliased to ls --color=auto
ewaller@odin:~ 1039 %su
Password: 
[root@odin ewaller]# which ls
/bin/ls
[root@odin ewaller]#

also, What is in root's $PATH ?

Last edited by ewaller (2010-10-14 23:06:17)

dioltas · 2010-10-15 12:57:40

#which ls
/bin/ls

will post output of "echo $PATH" later. At work sshing to laptop from phone and it's too long to type.
/bin and /usr/bin are the first two entries though.

dioltas · 2010-10-15 17:22:13

# echo $PATH
/bin:/usr/bin:/sbin:/usr/sbin:/opt/java/bin:/opt/java/jre/bin:/usr/bin/perlbin/site:/usr/lib/perl5/vendor_perl/bin:/usr/bin/perlbin/vendor:/usr/lib/perl5/core_perl/bin:/opt/qt/bin

/bin
/usr/bin
/sbin
/usr/sbin
/opt/java/bin
/opt/java/jre/bin
/usr/bin/perlbin/site
/usr/lib/perl5/vendor_perl/bin
/usr/bin/perlbin/vendor
/usr/lib/perl5/core_perl/bin
/opt/qt/bin

dioltas · 2010-10-15 17:27:15

Checked all those directories and the only one of them with a "ls" is /bin.

This is weird.

Last edited by dioltas (2010-10-15 17:27:45)

ewaller · 2010-10-15 18:30:55

dioltas wrote:

This is weird.

+1

A common attack on root is to leave commands with the same name as system commands laying around. If root includes '.' in
their path, and they invoke a command like ls while in a directory that has a Trojan ls laying around, they can be rooted by the bogus command. Thats what I was looking for, but it seems you are okay.

Unless you have really been rooted and which is lying, then something else must be going on.

How about we try the big guns? Lets look at the output of strace ls

Last edited by ewaller (2010-10-15 18:32:00)

dioltas · 2010-10-15 21:40:42

Yeah, that was one of the first thing that occurred to me too.

But if root and normal users are running the same binary then it should be ok I thought.

And it would be a weird attack making ls execute all the filenames...

Thanks for the strace suggestion! Will try this in the morning.

sisco311 · 2010-10-15 22:06:42

Check the aliases. My guess is that you used backquotes (`) instead of single quotes (') in an alias.

# alias ls

Last edited by sisco311 (2010-10-15 22:08:13)

dioltas · 2010-10-16 11:59:06

When I saw your post first, I thought no, I definitely don't have any aliases set up for root.

then tried alias ls. Had a look at /etc/bash.bashrc at there it was

alias ls=`ls --color=auto`

Thanks for your help!

Have no recollection of adding that. I feel like an idiot now!

jdarnold · 2010-10-16 12:06:56

An easy way to make sure you're not using an alias is to use a backslash when running the command:

#\ls

ewaller · 2010-10-16 16:33:58

Note to self: I had thought the which command would reveal the alias. I realize now this is an artifact of zsh and it behaves differently in bash.

Good call Sisco311.
jdarnold: Good tip, I had never seen that

Arch Linux

#1 2010-10-14 21:50:42

[SOLVED] ls as root tries to execute all filenames in directory

#2 2010-10-14 23:04:47

Re: [SOLVED] ls as root tries to execute all filenames in directory

#3 2010-10-15 12:57:40

Re: [SOLVED] ls as root tries to execute all filenames in directory

#4 2010-10-15 17:22:13

Re: [SOLVED] ls as root tries to execute all filenames in directory

#5 2010-10-15 17:27:15

Re: [SOLVED] ls as root tries to execute all filenames in directory

#6 2010-10-15 18:30:55

Re: [SOLVED] ls as root tries to execute all filenames in directory

#7 2010-10-15 21:40:42

Re: [SOLVED] ls as root tries to execute all filenames in directory

#8 2010-10-15 22:06:42

Re: [SOLVED] ls as root tries to execute all filenames in directory

#9 2010-10-16 11:59:06

Re: [SOLVED] ls as root tries to execute all filenames in directory

#10 2010-10-16 12:06:56

Re: [SOLVED] ls as root tries to execute all filenames in directory

#11 2010-10-16 16:33:58

Re: [SOLVED] ls as root tries to execute all filenames in directory

Board footer