Re: Strange command histories in hacked shell server

Valdis.Kletnieks_at_vt.edu
Date: 12/17/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?" 
    To: Ganbold <ganbold@micom.mng.net>
Date: Fri, 17 Dec 2004 14:37:06 -0500

    On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:

    > Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi
    > unix /home/tsgan/.tmp/known_hosts
    > 9665 m.c -rw-r--r-- tugstugi
    > unix /home/tugstugi/.ssh/known_hosts
    >
    > Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi
    > unix /home/tugstugi/.shrc
    > ...
    > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
    > home/tsgan/.tmp/known_hosts.
    > I don't know why.

    Have you considered maybe "Save a copy in .tmp before uploading/updating
    it, just in case I screw up"? :)

    > sshd -F tsgan __ 0.02 secs Tue Dec 14 00:27
    > sh - tsgan ttyp0 0.02 secs Tue Dec 14 00:27
    > cat - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
    > su - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
    > sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
    > ^^^^^^
    > stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
    > stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
    > ^^^^^^
    > fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
    > ...
    >
    > I don't quite understand why he used sleep and stty commands in above.
    > My suspect is tty hijacking. Am I right? Correct me if I'm wrong.

    My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep',
    and those happened at login - the first *real* command actually issued was
    probably a 'su -c cat something', after which the person logged out, causing the
    login 'sh' and 'sshd' to exit.

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"

    Relevant Pages