Check The History
Security - Server Security

Check the root History File

 

The history file keeps a history of the last 500 commands or more of terminal commands. By typing the command:

 

history

 

The return should be similar to the following.

12 mount /mnt/media
13 mount /media/floppy
14 ls /media/floppy
15 cp /media/floppy/bk_up.sh /root
16 cp /media/floppy/bk_up.sh /tmp
17 umount /media/floppy
18 mv /tmp/bk* /hotm/mike
19 mv /tmp/bk* /home/mike
20 ls
21 vi bk_up.sh
22 chmod 755 bk_up.sh
23 ./bk_up.sh
24 vi bk_up.sh
25 ./bk_up.sh
26 mount /media/floppy
27 echo $BASH_VERSION
28 ls -l /bin/bash
29 ls -l /bin/sh
30 ls -l /bin/sh > text
31 cat text
32 echo $SHELL
33 ls -l $HOME/TMP/*
34 ls -l $HOME/tmp/*
35 ls -l $HOME /tmp/*
36 ls -l $HOME /tmp/* /opt
37 ls -l $HOME /tmp/* /usr
38 mount /media/floppy

 

If the root history command is empty it may be time to be suspicious, unless of course the history was cleared on purpose. Typically a cracker will direct the history command to /dev/null in order to cover their tracks. One way to check this is to check the history file setup. Use the command:

 

ls -l ~/.bash_history

 

The return should be something like the following:

-rw------- 1 root root 7364 2004-03-27 08:57 /root/.bash_history

 

If the outcome looks like this there are problems:

lrwxrwxrwx 1 root root 7364 2004-03-27 8:57 /root/.bash_history -> /dev/null

 

In the last example, the history file is getting dumped into /dev/null which means there will be no record of what a cracker is doing on the terminal.

 

It may be important to check other user history files as well, depending on who is actually using the system. A cracker could gain access to an account and before they actually gain root access may be using another user account for exploration and development purposes.

Copyright CyberMontana Inc. and BeginLinux.com

All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874