[prev in list] [next in list] [prev in thread] [next in thread]
List: chkrootkit-users
Subject: Re: [crt-users] zero length .bash_history
From: "s. keeling" <keeling () spots ! ab ! ca>
Date: 2003-05-06 21:00:26
[Download RAW message or body]
Incoming from Terry Browning:
> I've ha[d] false positives before (hidden process, mostly), so I'm
> wondering if this is a real alert.
> I did look at the .bash_history file. I was zero length. I did get
> rather anxious.
A zero length bash_history is a warning that maybe, possibly, somebody
might have ... gotten in, did some horrible stuff, then deleted the
history in an attempt to cover their tracks.
I'd be suspicious, but I wouldn't consider it conclusive proof. I
doubt reinstalling bash would have any effect whatever on the problem
except to eliminate one of many potentially trojaned binaries.
> So .. I've just reinstalled Mandrake 8.1's bash from the distribution
> CDROM. Everything looks OK. The history records everything since I
> started following up chkrootkit .39a's warning. I checked the filesize
> of bash against the copy in the CDROM's .rpm & both were the same size
> before I --forced the reinstall.
> Maybe this was just a result on my nighttime tinkering?
> Has anyone any experience of this?
I'd go over it with a fine toothed comb (log files, checksummed
binaries, ...); trust me, you can learn a lot by doing that. If you
really need that machine to be secure, consider re-installing on
principle.
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic