Help me analysis what did hacker do?

Jochen Schroeder jschrod at uni-muenster.de
Thu Jul 17 06:19:35 PDT 2003


Sam Halliday wrote:
> SINGODIWIRJO Hermantino wrote:
> 
>>>In / directory I find out a .bash_history file.
>>
>>What a strange "cracker" who leaves behind him a .bash_history in / ??? did
>>you mean ~/
> 
> most root-cracks drop you in / with no envars set. so this is what i would
> expect.
> 
> 
>>Moreover It is a good Idea if this "cracker" got root to backup the original
>>~/.bash_history first to restore it afterwards.
> 
> the new history is added after you logout. you need only type `history -c` to
> stop this from happenning. but in this case unsetting the history file is
> better.
> 
> 
>>Finally it is also handy to clear the log files >
> 
> well, we know YOU didnt crack his box... because we'd NEVER be able to find
> YOU... ;-)
> 
> seriously though... if this guy is running a recent LFS, we should all be keen
> to hear how his boxen was cracked. we could all be susceptible!
> 
> Ares Liu... what kernel are you running? i have a suspicion this may be the
> ptrace exploit, simply from the fact that it was the last "big" expoit and the
> code is publiclaly available; and the cracker clearly didnt have a clue what
> he/she was doing...
> 
> Sam
But that would mean the cracker already had a local account. The ptrace 
bug is a local not a remote exploit, so the box must have been cracked 
by some other means as well, to get local access. Still interesting to 
know how he got access.

Jochen

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list