Re: Strange command histories in hacked shell server

[Valdis.Kletnieks () vt edu]

On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:

> Dec 14 04 00:20:50     9665 m.. -rw-r--r-- tugstugi 
> unix     /home/tsgan/.tmp/known_hosts
>                         9665 m.c -rw-r--r-- tugstugi 
> unix     /home/tugstugi/.ssh/known_hosts
>
> Dec 15 04 19:12:21     1002 m.c -rw------- tugstugi 
> unix     /home/tugstugi/.shrc
> ...
> Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to 
> home/tsgan/.tmp/known_hosts.
> I don't know why.

Have you considered maybe "Save a copy in .tmp before uploading/updating
it, just in case I screw up"? :)

> sshd             -F      tsgan            __         0.02 secs Tue Dec 14 00:27
> sh               -       tsgan            ttyp0      0.02 secs Tue Dec 14 00:27
> cat              -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:28
> su               -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:28
> sleep            -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> ^^^^^^
> stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> ^^^^^^
> fortune          -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> ...
>
> I don't quite understand why he used sleep and stty commands in above.
> My suspect is tty hijacking. Am I right? Correct me if I'm wrong.

My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep',
and those happened at login - the first *real* command actually issued was
probably a 'su -c cat something', after which the person logged out, causing the
login 'sh' and 'sshd' to exit.

Attachment: _bin
Description: