[opensuse] Bash History
All, OpenSuSE 12.2: history | less showed some commands tonight, which I haven't entered, at least not at this time. Maybe some time ago. There's no cron job that could have executed them and I have found no script-recording that I've accidentally called. Some files were displayed with less. A script would rather not do that. When I logged out and in again, those commands were missing in history | less. last shows only my login and my IP. Couldn't find any clue in /var/log/messages. Furthermore, there was a gap. Those strange recent commands and commands from several months ago. Last months were missing. Is there any feasible explanation for this behavior? Was this box cracked? Thank you in advance. - Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Chris wrote:
OpenSuSE 12.2: history | less showed some commands tonight, which I haven't entered, at least not at this time.
They were all executed exactly at the same time. It took only 1 second. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-10-04 22:41, Chris wrote:
All,
OpenSuSE 12.2: history | less showed some commands tonight, which I haven't entered, at least not at this time. Maybe some time ago. There's no cron job that could have executed them and I have found no script-recording that I've accidentally called. Some files were displayed with less. A script would rather not do that. When I logged out and in again, those commands were missing in history | less. last shows only my login and my IP. Couldn't find any clue in /var/log/messages. Furthermore, there was a gap. Those strange recent commands and commands from several months ago. Last months were missing. Is there any feasible explanation for this behavior? Was this box cracked?
I have found that history is not very reliable. Sometimes it gets entirely cleared out. It has to combine entries from all sessions, that is not simple. Commands in one session do not appear on others unless I relogin on both. I end by having a backup of the history file. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 10/04/2016 01:41 PM, Chris wrote:
Some files were displayed with less. A script would rather not do that.
But it does seem to be a habit of your, no? If these are not preceded by ls commands or locate, or find, or a bunch of cd commands, then it would seem that who-ever entered the less command knew exactly what they were looking for. If the file names were some obvious targets you might be suspicious, but if someone opens a shell and goes immediately to a less command it looks like someone with a lot of local knowledge. Question: how far back does your last command show? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/04/2016 02:08 PM, John Andersen wrote:
how far back does your last command show?
by that I mean type "last" in a console and hit enter. Also, what WERE the commands that were entered tonight which took less than a second? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 10/04/2016 02:08 PM, John Andersen wrote:
how far back does your last command show? by that I mean type "last" in a console and hit enter.
since the beginning of this box, more than 3 years.
Also, what WERE the commands that were entered tonight which took less than a second?
He viewed inittab, firewall rules, pinged some hosts. This seems suspicious but it seems nothing was changed (or is it only hidden in kernel land?). He even executed shutdown -h now, but obviously this didn't happen. I think this is just an old log when a (former) co-worker was looking for an error, although I don't know why it appeared in such a strange way. - Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/05/2016 10:14 AM, Chris wrote:
I think this is just an old log when a (former) co-worker was looking for an error, although I don't know why it appeared in such a strange way.
Some times those histories were wrap-around files. But this is the first time you've mentioned a former co-worker. Might have been nice to know that up front. You might want to look into changing the password on that former employee's account and set them to be no-login, AND you might want to delete any public keys in EVERY user's ~/.ssh/authorized_keys files that you do not recognize. As well as root's .ssh authorized_keys file, Your own. Remember that if I can slip my public key into your authorized_keys file, I can log in as you and never need to know your password. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Carlos E. R.
-
Chris
-
John Andersen