Help me analysis what did hacker do?

Thu Jul 17 01:48:05 PDT 2003

> In / directory I find out a .bash_history file.

What a strange "cracker" who leaves behind him a .bash_history in / ??? did you mean ~/

Moreover It is a good Idea if this "cracker" got root to backup the original ~/.bash_history first to restore it afterwards. Don't forget also that the backup process will change the date of the file, so it is also a good idea to restore the old time flag on your retored file :)

cp ~/.bash_history ~/.bash_history_back

ls -l ~/.bash_history
-rw-------    1 xxx     xxx         1185 jui 16 20:42 /home/xxx/.bash_history

[do what you want]

cp ~/.bash_history_back ~/.bash_history && rm ~/.bash_history_back

touch -t 07162042 ~/.bash_history

This would restore the original time flag of the file, but take care of the last command (the backup process) that you left behind you after backuping the file. Enventually clear the entry by hand before the 'touch'.

Finally it is also handy to clear the log files >

Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list