Normal Unix commands such as find and ls may be used to locate such files, e.g.
find /usr -name '.*' -type d -printto find "hidden" files and directories. find may also be used to search by modification time, e.g.
find /bin -ctime -365 -printwill find anything changed in the last year, similarly for /sbin /usr/kvm /usr/local/bin etc.
In Win95, hidden files are also possible; BackOrifice uses this technique to hide, using a blank icon and blank prefix, ".exe" does not show up in a icon-based directory.
find /bin -perm +6000 -printor perhaps
find /bin -perm +6000 -exec ls -lg {} \;
On systems where find does not support the perm option,
ls may be used, e.g.
ls -latg /usr/bin/* /sbin/* /usr/sbin/* /usr/local/bin/* | grep '^...s'The point here is to find system files that appear to have been modified since the system was installed, or unauthorized programs, such as an suid shell (which executes a user's every command with root privilege).
Data disks may be mounted noexec. This means that files in these directories cannot be executed.
Linux users may use the ext2fs utility chattr to make system directories or files "immutable", or create append-only logfiles. An intruder would first have to gain root, then change the filesystem attributes, before creating a file.
A.Daviel