Re: Strange command histories in hacked shell server

[Ganbold <ganbold () micom mng net>]

At 03:37 AM 12/18/2004, you wrote:
> On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:
> > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
> > home/tsgan/.tmp/known_hosts.
> > I don't know why.
>
> Have you considered maybe "Save a copy in .tmp before uploading/updating
> it, just in case I screw up"? :)

No, I think I didn't do that.

> > sleep            -       tsgan            ttyp0      0.00 secs Tue Dec 
> 14 00:27
> > ^^^^^^
> > stty             -       tsgan            ttyp0      0.00 secs Tue Dec 
> 14 00:27
> > stty             -       tsgan            ttyp0      0.00 secs Tue Dec 
> 14 00:27
> > ^^^^^^
> > fortune          -       tsgan            ttyp0      0.00 secs Tue Dec 
> 14 00:27
> > ...
> >
> > I don't quite understand why he used sleep and stty commands in above.
> > My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
>
> My suspect is that your .login contains a 'fortune', an 'stty' or two, and 
> a 'sleep',
> and those happened at login

I think probably not. Because standard FreeBSD .login contains only 
following line:

[ -x /usr/games/fortune ] && /usr/games/fortune freebsd-tips

>  - the first *real* command actually issued was
> probably a 'su -c cat something', after which the person logged out, 
> causing the
> login 'sh' and 'sshd' to exit.

stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:23
su               -       tsgan            #C:5:0x2   0.02 secs Tue Dec 14 00:23
cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
sleep            -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
stty             -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
stty             -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
fortune          -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
...
Do you know what does "#C:5:0x2" mean? I still don't know what it is.
Do you have some idea?

thanks,

Ganbold