Help me analysis what did hacker do?

dpb at e-oasis.com dpb at e-oasis.com
Thu Jul 17 10:17:20 PDT 2003


I have a .bash_history in / on a redhat box.  It is full of commands I 
issued the last time I booted single user -- can't remember if this was a 
kernel command or a rescue disk reboot.

On Thu, 17 Jul 2003, SINGODIWIRJO 
Hermantino wrote:

> > In / directory I find out a .bash_history file.
> 
> What a strange "cracker" who leaves behind him a .bash_history in / ??? did you mean ~/
> 
> Moreover It is a good Idea if this "cracker" got root to backup the original ~/.bash_history first to restore it afterwards. Don't forget also that the backup process will change the date of the file, so it is also a good idea to restore the old time flag on your retored file :)
> 
> cp ~/.bash_history ~/.bash_history_back
> 
> ls -l ~/.bash_history
> -rw-------    1 xxx     xxx         1185 jui 16 20:42 /home/xxx/.bash_history
> 
> [do what you want]
> 
> cp ~/.bash_history_back ~/.bash_history && rm ~/.bash_history_back
> 
> touch -t 07162042 ~/.bash_history
> 
> This would restore the original time flag of the file, but take care of the last command (the backup process) that you left behind you after backuping the file. Enventually clear the entry by hand before the 'touch'.
> 
> Finally it is also handy to clear the log files >
> 
> 
> 


-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list