Zero-length .history file... - Security

This is a discussion on Zero-length .history file... - Security ; Hi. I posted this inquiry on LinuxQuestions.org as well, but I'm posting it here, too, in hope of an early reply. Yesterday I routinely ran chkrootkit, and received the warning that root's bash.history file was zero-length. Since I would never ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Zero-length .history file...

  1. Zero-length .history file...

    Hi. I posted this inquiry on LinuxQuestions.org as well, but I'm posting
    it here, too, in hope of an early reply.

    Yesterday I routinely ran chkrootkit, and received the warning
    that root's bash.history file was zero-length. Since I would never
    truncate that file knowingly, and since I've never encountered
    this phenomenon before, I'm afraid this may mean that my system
    has been cracked. Chkrootkit and rkhunter do not show anything
    else amiss. Are there other useful tests I can run?

    I'm running SUSE 9.2 Pro behind its iptables-based firewall.

    Can anyone advise me on this? Many thanks, in advance

    -Denis

  2. Re: Zero-length .history file...

    * "Rev. M.D. Lahey"
    | Yesterday I routinely ran chkrootkit, and received the warning that
    | root's bash.history file was zero-length. Since I would never
    | truncate that file knowingly, and since I've never encountered this
    | phenomenon before, I'm afraid this may mean that my system has been
    | cracked.

    Is bash the regular root shell? Is the file writable? Does it have
    some contents after you typed some commands as root and exit the
    shell?

    R'

  3. Re: Zero-length .history file...

    Ralf Fassel writes:

    > * "Rev. M.D. Lahey"
    > | Yesterday I routinely ran chkrootkit, and received the warning that
    > | root's bash.history file was zero-length. Since I would never
    > | truncate that file knowingly, and since I've never encountered this
    > | phenomenon before, I'm afraid this may mean that my system has been
    > | cracked.
    >
    > Is bash the regular root shell? Is the file writable? Does it have
    > some contents after you typed some commands as root and exit the
    > shell?


    .... or did you play with HISTFILE or any other of the HIST*
    environment variables (man bash for more) ?

    --
    Maurizio Loreti http://www.pd.infn.it/~loreti/mlo.html
    Dept. of Physics, Univ. of Padova, Italy ROT13: ybergv@cq.vasa.vg

  4. Re: Zero-length .history file...

    Maurizio Loreti wrote:
    > Ralf Fassel writes:
    >
    >
    >>* "Rev. M.D. Lahey"
    >>| Yesterday I routinely ran chkrootkit, and received the warning that
    >>| root's bash.history file was zero-length. Since I would never
    >>| truncate that file knowingly, and since I've never encountered this
    >>| phenomenon before, I'm afraid this may mean that my system has been
    >>| cracked.
    >>
    >>Is bash the regular root shell? Is the file writable? Does it have
    >>some contents after you typed some commands as root and exit the
    >>shell?

    >
    >
    > ... or did you play with HISTFILE or any other of the HIST*
    > environment variables (man bash for more) ?
    >


    Yes, bash is the regular root shell. The file began accumulating data
    again immediately once I started issuing commands as root. And no, I
    didn't fiddle with any of the environment variables. Weird, eh? Wish I
    had installed tripwire, or something like that... :-(

    -denis

  5. Re: Zero-length .history file...

    * "Rev. M.D. Lahey"
    | Yes, bash is the regular root shell. The file began accumulating
    | data again immediately once I started issuing commands as root. And
    | no, I didn't fiddle with any of the environment variables.

    Some cron job cleaning up? Some fiddling with the limit on .history
    length? If you're paranoid enough, backup the data and reinstall ;-)

    R'

+ Reply to Thread