Help me analysis what did hacker do?

Tamas Szabo sztamas at ots.rdscj.ro
Thu Jul 17 05:07:26 PDT 2003



navara wrote:

>>>In / directory I find out a .bash_history file.
>>>      
>>>
>>What a strange "cracker" who leaves behind him a .bash_history in / ??? did you mean ~/
>>
>>Moreover It is a good Idea if this "cracker" got root to backup the original ~/.bash_history first to restore it afterwards. Don't forget also that the backup process will change the date of the file, so it is also a good idea to restore the old time flag on your retored file :)
>>
>>cp ~/.bash_history ~/.bash_history_back
>>
>>ls -l ~/.bash_history
>>-rw-------    1 xxx     xxx         1185 jui 16 20:42 /home/xxx/.bash_history
>>
>>[do what you want]
>>
>>cp ~/.bash_history_back ~/.bash_history && rm ~/.bash_history_back
>>
>>touch -t 07162042 ~/.bash_history
>>
>>This would restore the original time flag of the file, but take care of the last command (the backup process) that you left behind you after backuping the file. Enventually clear the entry by hand before the 'touch'.
>>
>>Finally it is also handy to clear the log files >
>>    
>>
>
>And dont forget, that all comands saves after logout :)
>
Isn't more simple to use just a
$ unset HISTFILE
in the shell in which you will execute the commands?

Tamas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20030717/f83bd30a/attachment.html>


More information about the lfs-security mailing list