I've been using Linux for over twelve years now, and I'm still learning it.
Today, Wlofie [1] and I spent a few hours doing Stupid Shell Tricks under Linux—stuff like naming files “ ‥ ” (that's space period period space or even “ . * & ! prang” (that's space period space asterisk space ampersand space explanation point space "prang") or even “-rf *”—names that give the Unix shell fits (or naive users fits trying to get rid of such files).
From there, we ventured into the territory that crackers use to hide their activities under Unix systems. One such trick is the following command:
>
```
GenericUnixPrompt> hacker_tool || rm -rf ./
```
Kill the running hacker_tool process and all the files are removed. A process listing will only show the hacker_tool running. A smart cracker will zap or munge the history file of the shell. So that's a pretty hard thing to detect.
Another trick a cracker will do to make things difficult is:
>
```
GenericUnixPrompt> hacker_tool &
[1] 4532
GenericUnixPrompt> /bin/rm hacker_tool
```
This starts the hacker_tool, then the executable is removed. The program still runs since the code is in memory, but there's no way to actually recover the executable.
Or so I thought.
Wlofie showed me this though (at least, under Linux):
>
```
GenericUnixRootPrompt# cd /proc/4532
GenericUnixRootPrompt# cp exe /tmp/recovered_executable_file
# or alternatively
GenericUnixRootPrompt# dd if=exe of=/tmp/recovered_execuable_file
```
Ah, the things geeks find interesting.