[wplug] Warning: `//root/.bash_history' file size is zero
Christopher DeMarco
cmd at alephant.net
Sun Apr 9 14:37:16 EDT 2006
On Sun, Apr 09, 2006 at 08:53:28PM +0300, Alexandros Papadopoulos wrote:
> trouble of breaking in [0] and then couldn't do anything better to
> cover his/her tracks than deleting the /root/.bash_history file. I
[snip]
> I've checked /var/log/auth.log and the only logins I see there are
Or perhaps .bash_history was the file s?he *didn't* modify. An
experienced intruder (or a good rootkit) will clear auth.log and
likely trojan your binaries so that ``who'' won't reveal the intruder.
Hate to fuel your paranoia but IMHO it's more likely that the empty
.bash_history *is* part of an intrusion, that rather than "couldn't
think of anything better to do" your h4X0r has hidden h(is|er) traces
from the rest of the audit trail.
> So my question is quite open-ended I guess... Does anyone have any
> experience or any insight as to how that file could have been
> deleted/emptied, excluding a very careless attacker? Could this be a
> bug of some cron-invoked program?
Google "bash_history missing OR delete", and variants, and see what
you dig up.
> Thanks in advance for any help - I hope it turns out that I'm all
> stressed for no real reason :-]
If you're paid for adminning this box, it's part of the job
description. Cops are suspicious; sysads are fascist and paranoid.
> only window of vulnerability is its public IP - the box acts as a
> VPN endpoint for multiple VPNs, so OpenVPN has to have some ports
With a VPN you have much wider exposure than you think -- what's the
state of all the remote endpoints? What kind of astraddle-the-road
malware-beset PCs do your VPN users login from? It's always possible
that somebody's VPN login has been keyboard-sniffed...
> on the public interface. The OpenVPN daemon is running as user:group
What about the *private* interface? Any services to attack there?
The skillful bad guys attack you from *inside* your perimeter...
Sleep well tonight ;-)
--
Christopher DeMarco <cmd at alephant.net>
Alephant Systems (http://alephant.net)
PGP public key at http://pgp.alephant.net
+1-412-708-9660
More information about the wplug
mailing list