|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Strange command histories in hacked shell server
From: Ganbold (ganbold
micom.mng.net)
Date: Sun Dec 19 2004 - 04:00:36 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 03:37 AM 12/18/2004, you wrote:
>On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:
> > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
> > home/tsgan/.tmp/known_hosts.
> > I don't know why.
>
>Have you considered maybe "Save a copy in .tmp before uploading/updating
>it, just in case I screw up"? :)
No, I think I didn't do that.
> > sleep - tsgan ttyp0 0.00 secs Tue Dec
> 14 00:27
> > ^^^^^^
> > stty - tsgan ttyp0 0.00 secs Tue Dec
> 14 00:27
> > stty - tsgan ttyp0 0.00 secs Tue Dec
> 14 00:27
> > ^^^^^^
> > fortune - tsgan ttyp0 0.00 secs Tue Dec
> 14 00:27
> > ...
> >
> > I don't quite understand why he used sleep and stty commands in above.
> > My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
>
>My suspect is that your .login contains a 'fortune', an 'stty' or two, and
>a 'sleep',
>and those happened at login
I think probably not. Because standard FreeBSD .login contains only
following line:
[ -x /usr/games/fortune ] && /usr/games/fortune freebsd-tips
> - the first *real* command actually issued was
>probably a 'su -c cat something', after which the person logged out,
>causing the
>login 'sh' and 'sshd' to exit.
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:23
su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23
cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
...
Do you know what does "#C:5:0x2" mean? I still don't know what it is.
Do you have some idea?
thanks,
Ganbold
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]