Zero-length .history file...

Hi. I posted this inquiry on LinuxQuestions.org as well, but I'm posting
it here, too, in hope of an early reply.

Yesterday I routinely ran chkrootkit, and received the warning
that root's bash.history file was zero-length. Since I would never
truncate that file knowingly, and since I've never encountered
this phenomenon before, I'm afraid this may mean that my system
has been cracked. Chkrootkit and rkhunter do not show anything
else amiss. Are there other useful tests I can run?

I'm running SUSE 9.2 Pro behind its iptables-based firewall.

Can anyone advise me on this? Many thanks, in advance

-Denis

* "Rev. M.D. Lahey" <revmyo@yahoo.com>
| Yesterday I routinely ran chkrootkit, and received the warning that
| root's bash.history file was zero-length. Since I would never
| truncate that file knowingly, and since I've never encountered this
| phenomenon before, I'm afraid this may mean that my system has been
| cracked.

Is bash the regular root shell? Is the file writable? Does it have
some contents after you typed some commands as root and exit the
shell?

R'

Ralf Fassel <ralfixx@gmx.de> writes:
[color=blue]
> * "Rev. M.D. Lahey" <revmyo@yahoo.com>
> | Yesterday I routinely ran chkrootkit, and received the warning that
> | root's bash.history file was zero-length. Since I would never
> | truncate that file knowingly, and since I've never encountered this
> | phenomenon before, I'm afraid this may mean that my system has been
> | cracked.
>
> Is bash the regular root shell? Is the file writable? Does it have
> some contents after you typed some commands as root and exit the
> shell?[/color]

.... or did you play with HISTFILE or any other of the HIST*
environment variables (man bash for more) ?

--
Maurizio Loreti [url]http://www.pd.infn.it/~loreti/mlo.html[/url]
Dept. of Physics, Univ. of Padova, Italy ROT13: [email]ybergv@cq.vasa.vg[/email]

Maurizio Loreti wrote:[color=blue]
> Ralf Fassel <ralfixx@gmx.de> writes:
>
>[color=green]
>>* "Rev. M.D. Lahey" <revmyo@yahoo.com>
>>| Yesterday I routinely ran chkrootkit, and received the warning that
>>| root's bash.history file was zero-length. Since I would never
>>| truncate that file knowingly, and since I've never encountered this
>>| phenomenon before, I'm afraid this may mean that my system has been
>>| cracked.
>>
>>Is bash the regular root shell? Is the file writable? Does it have
>>some contents after you typed some commands as root and exit the
>>shell?[/color]
>
>
> ... or did you play with HISTFILE or any other of the HIST*
> environment variables (man bash for more) ?
>[/color]

Yes, bash is the regular root shell. The file began accumulating data
again immediately once I started issuing commands as root. And no, I
didn't fiddle with any of the environment variables. Weird, eh? Wish I
had installed tripwire, or something like that... :-(

-denis

* "Rev. M.D. Lahey" <revmyo@yahoo.com>
| Yes, bash is the regular root shell. The file began accumulating
| data again immediately once I started issuing commands as root. And
| no, I didn't fiddle with any of the environment variables.

Some cron job cleaning up? Some fiddling with the limit on .history
length? If you're paranoid enough, backup the data and reinstall ;-)

R'