Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Finding out if you are infected' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Finding out if you are infected
Authored by: derrickbass on Nov 01, '04 09:20:00PM
Why is the command to find out if you are infected "sudo ls -l /Users/*/Public/.info"?

In particular, I presume that the sudo is there just in case the permissions on the directory have been changed. (Ordinarily, everyone is allowed to see your Public directory.) However, because the "*" is expanded before sudo is executed, it won't help; if the directory is not readable by the user executing the command, it will never even get passed to sudo.

I can't think of a simple way to do this. One can either:


sudo -s
ls -l /Users/*/Public/.info
exit

(Make sure to type exit! sudo -s gives you a root shell, which is very dangerous, so you want to exit the shell as soon as you are done.)

Or you can write a loop: In tcsh:


foreach i (/Users/*)
   sudo ls -l "$i"/Public/.info
end

In bash: well, I dunno, but I'm sure someone will translate the above script.

If see a bunch of error messages, that's good. If you see an actual listing of a file, that is bad.

[ Reply to This | # ]

Finding out if you are infected
Authored by: bdm on Nov 01, '04 11:14:28PM

Your comment is quite correct:
sudo ls -l /Users/*/Public/.info
is NOT a correct check for file of that form.

To do it in a single command, use this:
sudo sh -c 'ls -l /Users/*/Public/.info'
(including the single quotes). That way the * is not expanded until sudo has established the right privileges.

Brendan



[ Reply to This | # ]