|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Strange command histories in hacked shell server
Valdis.Kletnieks
vt.edu
Date: Fri Dec 17 2004 - 13:37:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:
> Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi
> unix /home/tsgan/.tmp/known_hosts
> 9665 m.c -rw-r--r-- tugstugi
> unix /home/tugstugi/.ssh/known_hosts
>
> Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi
> unix /home/tugstugi/.shrc
> ...
> Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
> home/tsgan/.tmp/known_hosts.
> I don't know why.
Have you considered maybe "Save a copy in .tmp before uploading/updating
it, just in case I screw up"? :)
> sshd -F tsgan __ 0.02 secs Tue Dec 14 00:27
> sh - tsgan ttyp0 0.02 secs Tue Dec 14 00:27
> cat - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
> su - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
> sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> ^^^^^^
> stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> ^^^^^^
> fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> ...
>
> I don't quite understand why he used sleep and stty commands in above.
> My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep',
and those happened at login - the first *real* command actually issued was
probably a 'su -c cat something', after which the person logged out, causing the
login 'sh' and 'sshd' to exit.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFBwzVicC3lWbTT17ARArC0AKDf4Fh2nygIXAxqk6S6mL8L1GaqEACfQ/O9
k1NmuOv4dIknmLFuYDQ+zVg=
=E5rZ
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]