Help me analysis what did hacker do?

Dagmar d'Surreal dagmar.wants at nospam.com
Tue Jul 15 18:42:46 PDT 2003


On Sun, 2003-07-13 at 13:33, Ares Liu wrote:
> In / directory I find out a .bash_history file. I think it must be left by a
> hacker. But I don't know how deep the hacker did. Who can help me analysis
> the .bash_history? Did the hacker change the password of root successfully?
> Thanks very much.
> 
> .bash_history:
> 
> vi /etc/passwd
> passwd root
> vi /etc/passwd
> passwd root/
> passwd root
> passwd xyz
> vi /etc/passwd
> linuxconf
> ls
> vi group
> passwd xyz
> vi group
> vi /etc/passwd
> chpasswd --help
> chpasswd -e
> vi /etc/passwd
> ls
> man chpasswd
> ls
> checkgid --help
> checkgid /?
> man checkgid
> checkgid
> ls
> vi /etc/passwd
> linuxconf
> clear
> passwd xyz
> vi /etc/passwd
> passwd bbs
> ls
> man passwd
> i /etc/pam.d/passwd
> less /etc/pam.d/passwd
> ls
> cd /etc/
> ls
> ls -l sh*
> cp shadow- shadow
> ls -l sh*
> more shadow
> reboot

The good news is that they're morons.  The bad news is that now that you
know you've been compromised you should probably back up your user data,
wipe the drives, and reinstall.  Even idiots get their hands on good
rootkits every so often and it's far more trouble than it's worth to try
to figure out if they've installed anything new you're not seeing

Oh, and the hacker didn't _need_ to change the password for root, they
already managed to get in.  j00 w3r3 0wn3d.
-- 
The email address above is just as phony as it looks, and for obvious reasons.
Instant messaging contact nfo: AIM: evilDagmar  Jabber: evilDagmar at jabber.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list