Security Incidents mailing list archives
Re: Strange command histories in hacked shell server
From: Valdis.Kletnieks () vt edu
Date: Fri, 17 Dec 2004 14:37:06 -0500
On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:
Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi unix /home/tsgan/.tmp/known_hosts 9665 m.c -rw-r--r-- tugstugi unix /home/tugstugi/.ssh/known_hosts Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi unix /home/tugstugi/.shrc ... Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to home/tsgan/.tmp/known_hosts. I don't know why.
Have you considered maybe "Save a copy in .tmp before uploading/updating it, just in case I screw up"? :)
sshd -F tsgan __ 0.02 secs Tue Dec 14 00:27 sh - tsgan ttyp0 0.02 secs Tue Dec 14 00:27 cat - tsgan ttyp0 0.00 secs Tue Dec 14 00:28 su - tsgan ttyp0 0.00 secs Tue Dec 14 00:28 sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^ stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^ fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ... I don't quite understand why he used sleep and stty commands in above. My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep', and those happened at login - the first *real* command actually issued was probably a 'su -c cat something', after which the person logged out, causing the login 'sh' and 'sshd' to exit.
Attachment:
_bin
Description:
Current thread:
- Strange command histories in hacked shell server Ganbold (Dec 17)
- Re: Strange command histories in hacked shell server Valdis . Kletnieks (Dec 17)
- Re: Strange command histories in hacked shell server Ganbold (Dec 20)
- Re: Strange command histories in hacked shell server Jim Halfpenny (Dec 22)
- Re: Strange command histories in hacked shell server Valdis . Kletnieks (Dec 17)