[prev in list] [next in list] [prev in thread] [next in thread] 

List:       chkrootkit-users
Subject:    Re: [crt-users] zero length .bash_history
From:       "s. keeling" <keeling () spots ! ab ! ca>
Date:       2003-05-06 21:00:26
[Download RAW message or body]

Incoming from Terry Browning:
> I've ha[d] false positives before (hidden process, mostly), so I'm 
> wondering if this is a real alert.
> I did look at the .bash_history file. I was zero length. I did get 
> rather anxious.

A zero length bash_history is a warning that maybe, possibly, somebody
might have ...  gotten in, did some horrible stuff, then deleted the
history in an attempt to cover their tracks.

I'd be suspicious, but I wouldn't consider it conclusive proof.  I
doubt reinstalling bash would have any effect whatever on the problem
except to eliminate one of many potentially trojaned binaries.

> So .. I've just reinstalled Mandrake 8.1's bash from the distribution 
> CDROM. Everything looks OK. The history records everything since I 
> started following up chkrootkit .39a's warning. I checked the filesize 
> of bash against the copy in the CDROM's .rpm & both were the same size 
> before I --forced the reinstall.
> Maybe this was just a result on my nighttime tinkering?
> Has anyone any experience of this?

I'd go over it with a fine toothed comb (log files, checksummed
binaries, ...); trust me, you can learn a lot by doing that.  If you
really need that machine to be secure, consider re-installing on
principle.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)               http://www.spots.ab.ca/~keeling 
- -
[prev in list] [next in list] [prev in thread] [next in thread]