There are many ways. One of my favorites is emacs in "directory-edit"
mode, but fewer and fewer people seem to worship at the Temple of Lisp
these days. :)
A more prevalent idea might be to use "ls -q". It wouldn't show you the
actual name, but it would print a question mark to let you know
something was up. The "ls -b" option will actually show you what is
there, but you might not want to deal with the backslashes and numbers.
Examples:
wcolburn@rainbow<~>$ uname -a
SunOS rainbow 5.7 Generic sun4m sparc
wcolburn@rainbow<~>$ /bin/ls -b eeep-*-eeep
eeep-c\206@\373\245\004-\3446\364-eeep
wcolburn@rainbow<~>$ /bin/ls -q eeep-*-eeep
eeep-c?@???-?6?-eeep
wcolburn@rainbow<~>$ /bin/ls eeep-*-eeep
eeep-c@{%-d6t-eeep
On Tue, Aug 14, 2001 at 03:11:56PM -0500, Skinner, Kit wrote:
> QUESTION: My question from a forensics standpoint is, if someone got onto a
> system and placed a file using that naming scheme, how could you determine
> its ACTUAL name? As a relative novice, all the tools I know of seem to
> interpret the filename and display in the edited form. If I had to access
> or read a file to determine what they were doing, and they had named it
> 'x^Hsecret'. How would I know or be able to access it since it would always
> show up as 'secret'?
>
> Any help is greatly appreciated. Thanks!
--
William Colburn, "Sysprog" <wcolburnat_private>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 09:34:52 PDT