rmdir failed to remove empty directory
I straced ls and got more information to dig (stripped non-important syscalls):
open("empty_dir", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
getdents(3, /* 3 entries */, 32768) = 80
write(1, ".\n", 2.) = 2
write(1, "..\n", 3..) = 3
Hmm, we see that syscall getdents works correctly and returned all 3 entries ('.','..' and '_---*'), but ls wrote only '.' and '..'. It means that we have some problem with wrapper around getdents which is used by coreutils. And coreutils use readdir glibc wrapper for getdents. Also to prove that there are no problems with getdents i tested little prog from example section of getdents' man page. This prog showed all files.
Maybe we just found a bug at the glibc? So i updated glibc package to the last version in my distro but didn't get any good result. Also i didn't find any correlating information in bugzilla.
So let's go deeper:
# gdb ls
(gdb) break readdir
(gdb) run
Breakpoint 1, 0x00007ffff7dfa820 in readdir () from /lib64/libncom.so.4.0.1
(gdb) info symbol readdir
readdir in section .text of /lib64/libncom.so.4.0.1
Wait, what? libncom.so.4.0.1? Not a libc? Yes, we just see a malicious shared library with libc functions for hiding malicious activity:
# LD_PRELOAD=/lib64/libc.so.6 find / > good_find
# find / > injected_find
# diff good_find injected_find
10310d10305
< /lib64/libncom.so.4.0.1
73306d73300
< /usr/bin/_-config
73508d73501
< /usr/bin/_-pud
73714d73706
< /usr/bin/_-minerd
86854d86845
< /etc/ld.so.preload
Removing rootkit files, checking all packages' files (rpm -Va in my case), auto-start scripts, preload/prelink configs, system files (find / + rpm -qf in my case), changing affected passwords, finding and killing rootkit's processes:
# for i in /proc/[1-9]*; do name=$(</proc/${i##*/}/comm); ps -p ${i##*/} > /dev/null || echo $name; done
_-minerd
In the end full system update, reboot and problem solved. Reason of the successful hacking: ipmi interface with very old firmware which suddenly was available from the public network.