[wplug] Warning: `//root/.bash_history' file size is zero
Alexandros Papadopoulos
apapadop at alumni.cmu.edu
Sun Apr 9 13:53:28 EDT 2006
Hi all!
Today I got this warning on a Debian server I maintain. Googling gave me
a vague uneasiness as to whether the machine has been cracked or not.
It seems too far fetched to believe that someone went into all the
trouble of breaking in [0] and then couldn't do anything better to
cover his/her tracks than deleting the /root/.bash_history file. I
mean, I would at least write a "ls -al" in there, just to keep the cron
scripts that check such things from complaining.
I've checked /var/log/auth.log and the only logins I see there are my
own - I manage it by exception, so I only login periodicaly to run
apt-get update && apt-get upgrade and perhaps once a month to check
that everything is in order (even though there are scripts to check the
arrays and such).
So my question is quite open-ended I guess... Does anyone have any
experience or any insight as to how that file could have been
deleted/emptied, excluding a very careless attacker? Could this be a
bug of some cron-invoked program?
Thanks in advance for any help - I hope it turns out that I'm all
stressed for no real reason :-]
-A
[0] Debian GNU/Linux stable (sarge), which sits at the border of a
corporate network and acts as firewall/router/HTTP proxy/DNS cache. The
only window of vulnerability is its public IP - the box acts as a VPN
endpoint for multiple VPNs, so OpenVPN has to have some ports listening
on the public interface. The OpenVPN daemon is running as user:group
nobody:nogroup. No other services are listening externaly and the
firewall (iptables) is DROPing everything other than VPN traffic
anyway.
More information about the wplug
mailing list