Re: bash_history set to zero length
- From: responder <no@xxxxxxxxxxxx>
- Date: Mon, 18 Sep 2006 23:41:55 -0400
Kevin Bailey wrote:
And are there any reasons for the bash_history file to get set to zero -
say for a broken ssh session - caused by a backup script logging in from
a backup server over ssh using a key etc?
I've had chkrootkit report the zero size file - but can find absolutely
no other sign of a compromise.
There would not seem to be any valid reason for the various /.bash_history
files [all] to be zeroed. To be more thorough you could check them all -
# ll /root/.bash_history
# ll /home/[any_user_0]/.bash_history
.... - etc.
If you have set an IDS baseline (as [i.e.] tripwire or aide ...), (and
stored on read-only media) you can check to see if your executable system
files have been altered. If you have not done this, you have little or no
reason to expect anything innocent. Please don't shoot the messenger, and
sorry to say, but if you do not have an explanation immediately at hand,
disconnect and rebuild from scratch or backup, as in last known secure
backup. We all dread this, and I am sorry that this misfortune has come
into your life.
Good luck and best wishes. But please do disconnect. Thank you.
.
- Follow-Ups:
- Re: bash_history set to zero length
- From: Kevin Bailey
- Re: bash_history set to zero length
- From: responder
- Re: bash_history set to zero length
- References:
- bash_history set to zero length
- From: Kevin Bailey
- bash_history set to zero length
- Prev by Date: bash_history set to zero length
- Next by Date: Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]
- Previous by thread: bash_history set to zero length
- Next by thread: Re: bash_history set to zero length
- Index(es):
Relevant Pages
|
