Critical: Weird folder found! Can't remove...

2025-04-17

Hello,

A customer of mine informed me about a weird directory in his homefolder:

"ÍÜ*eKÐL`^ :|R¦l=E!à÷A"

When I do "ls -al" I get this:

Code:

drwxr-xr-x    2 *** *** 4096 Oct 28 08:14 \004\315\334\*eK\036\320L`^\f:\022\|R\246l\=E!\233\340\367A\n\243W\253_\264Ul3lo\345\246{\250<\341~\304\355Û½\356\257<:~\030\034\006\355\376\003\226Å1\227\232\361\253\035\206S/

I can't access it:

Code:

*******@server [/home/*******]# cd \004\315\334\*eK\036\320L`^\f:\022\|R\246l\=E!\233\340\367A\n\243W\253_\264Ul3lo\345\246{\250<\341~\304\355Û½\356\257<:\030\034\006\355\376\003\226Å1\227\232\361\253\035\206S
-bash: !\233\340\367A\n\243W\253_\264Ul3lo\345\246{\250: event not found

This might sound paranoid but I'm afraid the directory name contains some kind of shell code that if I try to remove it, something else happens... I think the folder got there due to a web based attack on his website. Is that possible?

Does anyone have an idea how to get rid of it? I would like to see the content of the folder if possible.

Thanks.