Security Incidents mailing list archives
Re: Strange command histories in hacked shell server
From: Ganbold <ganbold () micom mng net>
Date: Sun, 19 Dec 2004 18:00:36 +0800
At 03:37 AM 12/18/2004, you wrote:
On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said: > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to > home/tsgan/.tmp/known_hosts. > I don't know why. Have you considered maybe "Save a copy in .tmp before uploading/updating it, just in case I screw up"? :)
No, I think I didn't do that.
> sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27> ^^^^^^> stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 > stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27> ^^^^^^> fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27> ... > > I don't quite understand why he used sleep and stty commands in above. > My suspect is tty hijacking. Am I right? Correct me if I'm wrong.My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep',and those happened at login
I think probably not. Because standard FreeBSD .login contains only following line:
[ -x /usr/games/fortune ] && /usr/games/fortune freebsd-tips
- the first *real* command actually issued wasprobably a 'su -c cat something', after which the person logged out, causing thelogin 'sh' and 'sshd' to exit.
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:23 su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23 cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 ... Do you know what does "#C:5:0x2" mean? I still don't know what it is. Do you have some idea? thanks, Ganbold
Current thread:
- Strange command histories in hacked shell server Ganbold (Dec 17)
- Re: Strange command histories in hacked shell server Valdis . Kletnieks (Dec 17)
- Re: Strange command histories in hacked shell server Ganbold (Dec 20)
- Re: Strange command histories in hacked shell server Jim Halfpenny (Dec 22)
- Re: Strange command histories in hacked shell server Valdis . Kletnieks (Dec 17)