Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Strange command histories in hacked shell server

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: Strange command histories in hacked shell server
Date: Fri, 17 Dec 2004 14:37:06 -0500 
On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:


Dec 14 04 00:20:50     9665 m.. -rw-r--r-- tugstugi 
unix     /home/tsgan/.tmp/known_hosts
                        9665 m.c -rw-r--r-- tugstugi 
unix     /home/tugstugi/.ssh/known_hosts

Dec 15 04 19:12:21     1002 m.c -rw------- tugstugi 
unix     /home/tugstugi/.shrc
...
Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to 
home/tsgan/.tmp/known_hosts.
I don't know why.


Have you considered maybe "Save a copy in .tmp before uploading/updating
it, just in case I screw up"? :)


sshd             -F      tsgan            __         0.02 secs Tue Dec 14 
00:27
sh               -       tsgan            ttyp0      0.02 secs Tue Dec 14 
00:27
cat              -       tsgan            ttyp0      0.00 secs Tue Dec 14 
00:28
su               -       tsgan            ttyp0      0.00 secs Tue Dec 14 
00:28
sleep            -       tsgan            ttyp0      0.00 secs Tue Dec 14 
00:27
^^^^^^
stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 
00:27
stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 
00:27
^^^^^^
fortune          -       tsgan            ttyp0      0.00 secs Tue Dec 14 
00:27
...

I don't quite understand why he used sleep and stty commands in above.
My suspect is tty hijacking. Am I right? Correct me if I'm wrong.


My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 
'sleep',
and those happened at login - the first *real* command actually issued was
probably a 'su -c cat something', after which the person logged out, causing the
login 'sh' and 'sshd' to exit.

Attachment: pgpQYJEQMXDN3.pgp
Description: PGP signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IIS web server hacked..any tips?, David LeBlanc
Next by Date:  Re: IIS web server hacked..any tips?, Valdis . Kletnieks
Previous by Thread:  Strange command histories in hacked shell server, Ganbold
Next by Thread:  Re: Strange command histories in hacked shell server, Ganbold
Indexes:  [Date] [Thread] [Top] [All Lists]