[wplug] Warning: `//root/.bash_history' file size is zero

Alexandros Papadopoulos apapadop at alumni.cmu.edu
Sun Apr 9 13:53:28 EDT 2006


Hi all!

Today I got this warning on a Debian server I maintain. Googling gave me 
a vague uneasiness as to whether the machine has been cracked or not. 
It seems too far fetched to believe that someone went into all the 
trouble of breaking in [0] and then couldn't do anything better to 
cover his/her tracks than deleting the /root/.bash_history file. I 
mean, I would at least write a "ls -al" in there, just to keep the cron 
scripts that check such things from complaining.

I've checked /var/log/auth.log and the only logins I see there are my 
own - I manage it by exception, so I only login periodicaly to run 
apt-get update && apt-get upgrade and perhaps once a month to check 
that everything is in order (even though there are scripts to check the 
arrays and such).

So my question is quite open-ended I guess... Does anyone have any 
experience or any insight as to how that file could have been 
deleted/emptied, excluding a very careless attacker? Could this be a 
bug of some cron-invoked program?

Thanks in advance for any help - I hope it turns out that I'm all 
stressed for no real reason :-]

-A

[0] Debian GNU/Linux stable (sarge), which sits at the border of a 
corporate network and acts as firewall/router/HTTP proxy/DNS cache. The 
only window of vulnerability is its public IP - the box acts as a VPN 
endpoint for multiple VPNs, so OpenVPN has to have some ports listening 
on the public interface. The OpenVPN daemon is running as user:group 
nobody:nogroup. No other services are listening externaly and the 
firewall (iptables) is DROPing everything other than VPN traffic 
anyway.


More information about the wplug mailing list