Check The History
Security - Server Security

Check the root History File


The history file keeps a history of the last 500 commands or more of terminal commands. By typing the command:




The return should be similar to the following.

12 mount /mnt/media
13 mount /media/floppy
14 ls /media/floppy
15 cp /media/floppy/ /root
16 cp /media/floppy/ /tmp
17 umount /media/floppy
18 mv /tmp/bk* /hotm/mike
19 mv /tmp/bk* /home/mike
20 ls
21 vi
22 chmod 755
23 ./
24 vi
25 ./
26 mount /media/floppy
28 ls -l /bin/bash
29 ls -l /bin/sh
30 ls -l /bin/sh > text
31 cat text
32 echo $SHELL
33 ls -l $HOME/TMP/*
34 ls -l $HOME/tmp/*
35 ls -l $HOME /tmp/*
36 ls -l $HOME /tmp/* /opt
37 ls -l $HOME /tmp/* /usr
38 mount /media/floppy


If the root history command is empty it may be time to be suspicious, unless of course the history was cleared on purpose. Typically a cracker will direct the history command to /dev/null in order to cover their tracks. One way to check this is to check the history file setup. Use the command:


ls -l ~/.bash_history


The return should be something like the following:

-rw------- 1 root root 7364 2004-03-27 08:57 /root/.bash_history


If the outcome looks like this there are problems:

lrwxrwxrwx 1 root root 7364 2004-03-27 8:57 /root/.bash_history -> /dev/null


In the last example, the history file is getting dumped into /dev/null which means there will be no record of what a cracker is doing on the terminal.


It may be important to check other user history files as well, depending on who is actually using the system. A cracker could gain access to an account and before they actually gain root access may be using another user account for exploration and development purposes.

Copyright CyberMontana Inc. and

All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874