At 03:37 AM 12/18/2004, you wrote:
On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:
> Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
> home/tsgan/.tmp/known_hosts.
> I don't know why.
Have you considered maybe "Save a copy in .tmp before uploading/updating
it, just in case I screw up"? :)
No, I think I didn't do that.
> sleep - tsgan ttyp0 0.00 secs Tue Dec
14 00:27
> ^^^^^^
> stty - tsgan ttyp0 0.00 secs Tue Dec
14 00:27
> stty - tsgan ttyp0 0.00 secs Tue Dec
14 00:27
> ^^^^^^
> fortune - tsgan ttyp0 0.00 secs Tue Dec
14 00:27
> ...
>
> I don't quite understand why he used sleep and stty commands in above.
> My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
My suspect is that your .login contains a 'fortune', an 'stty' or two, and
a 'sleep',
and those happened at login
I think probably not. Because standard FreeBSD .login contains only
following line:
[ -x /usr/games/fortune ] && /usr/games/fortune freebsd-tips
- the first *real* command actually issued was
probably a 'su -c cat something', after which the person logged out,
causing the
login 'sh' and 'sshd' to exit.
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
00:23
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:23
su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23
cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
...
Do you know what does "#C:5:0x2" mean? I still don't know what it is.
Do you have some idea?
thanks,
Ganbold
