was i hacked
Corey Edwards
pluglist at plug.org
Mon May 5 09:47:32 MDT 2003
On Sun, 2003-05-04 at 21:11, Uday wrote:
> In this case also he/they has left the bash history file behind but I could
> not really be a Sherlock Homes : ) Anyway following were the command which I
> think were alien:
>
> netstat -an | grep 139
> w
> rm -rf /var/adm/lastlog /root/.bash* /.bash* /root/.bash_history
> /.bash_history /tmp/* /tmp/.bash_
> * /var/log/* /etc/log /tmp/log/* /var/log/* /tmp/var/log/* /usr/log/*
> /usr/adm/log/*
> w
> exit
That's kinda funny. He's paranoid that the sysadmin will come on while
he's working and discover him (the repeated 'w'), but doesn't realize
that deleting all the logs is about as obvious of a "Hackers were here!"
sign as anything. I guess nobody claimed he was a genious. Also never
realized that the .bash_history is written *after* you logout. That was
a good laugh.
> Anyone who can derive some conclusion out of this is welcomed or any further
> security needed.
I'm sure there's plenty of information there including how and when the
incident occurred. Even rm'd files can come back from the dead. You can
make dd images onto another disk (or network drive) and find all that
information, if you want. There's a great tutorial here[1]. I want to
volunteer to help, but I know that I don't have time right now to do it
any justice.
Corey
1. http://project.honeynet.org/challenge/
More information about the PLUG
mailing list