Help me analysis what did hacker do?

Sam Halliday fommil at yahoo.ie
Sun Jul 13 11:48:42 PDT 2003


Ares Liu wrote:
> In / directory I find out a .bash_history file. I think it must be
> left by a hacker. But I don't know how deep the hacker did. Who can
> help me analysis the .bash_history? Did the hacker change the password
> of root successfully? Thanks very much.
> 
> .bash_history:
> 
> vi /etc/passwd
> passwd root
> vi /etc/passwd
> passwd root/
> passwd root
> passwd xyz
> vi /etc/passwd
> linuxconf
> ls
> vi group
> passwd xyz
> vi group
> vi /etc/passwd
> chpasswd --help
> chpasswd -e
> vi /etc/passwd
> ls
> man chpasswd
> ls
> checkgid --help
> checkgid /?
> man checkgid
> checkgid
> ls
> vi /etc/passwd
> linuxconf
> clear
> passwd xyz
> vi /etc/passwd
> passwd bbs
> ls
> man passwd
> i /etc/pam.d/passwd
> less /etc/pam.d/passwd
> ls
> cd /etc/
> ls
> ls -l sh*
> cp shadow- shadow
> ls -l sh*
> more shadow
> reboot

from the looks of things... i'd say they got root, but didnt really know
what to do! (--help and man pages? :-D)

i am assuming you have shadow passwords and md5sum enabled... it looks
like they just copied over the old shadow file into the new one to
ensure that nothing changed (to avoid detection?) after changing xyz and
bbs's passwords.

they have the md5sum hash's of all your passwords, id advise you change
your root password and get all your users to do the same. and get to
work finding out how they got in!! i.e. what kernel you running? any
root deamons? any suid root files?

btw, they are called CRACKERS, not hackers... hackers are the people who
WROTE the system.

Sam
-- 
'I'll see you all tomorrow. If there is one.'
(Men at Arms)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20030713/b527f6c5/attachment.sig>


More information about the lfs-security mailing list