Announcement

Collapse
No announcement yet.

.bash_history

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • .bash_history

    Hey again,

    Just out of curiosity, do most people here write the contents of .bash_history to another file hidden somewhere, so if someone were to break in and delete .bash_history, you would still have a back up of everything the intruder had done?

    Regards,

    Murriandious.

  • #2
    Originally posted by murriandious
    Hey again,

    Just out of curiosity, do most people here write the contents of .bash_history to another file hidden somewhere, so if someone were to break in and delete .bash_history, you would still have a back up of everything the intruder had done?

    Regards,

    Murriandious.

    What makes you think the attacker would use bash?
    perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

    Comment


    • #3
      Originally posted by Chris
      What makes you think the attacker would use bash?
      Thats right. I belive that an attacker would be smart enough to use another smaller shell that don't use a history-file, if he/she could.
      -- dev_zero@

      Comment


      • #4
        Originally posted by murriandious
        Just out of curiosity, do most people here write the contents of .bash_history to another file hidden somewhere, so if someone were to break in and delete .bash_history, you would still have a back up of everything the intruder had done?
        Depends on the shell that's in use. By default bash doesn't, but you may want to do a search for bash-bofh for more info.

        Personally, I wouldn't rely on .bash_history for anything resembling an accurate log of an intruder's movements on a box. It's too obvious, too easily edited.

        Comment


        • #5
          Originally posted by skroo
          Depends on the shell that's in use. By default bash doesn't, but you may want to do a search for bash-bofh for more info.

          Personally, I wouldn't rely on .bash_history for anything resembling an accurate log of an intruder's movements on a box. It's too obvious, too easily edited.
          Or linked to /dev/null, etc. You can use the attrib command to make it append only, but if an intruder has root then it is a moot point, it will only help if they are stupid. Some interesting things _can_ be found in a .bash_history file, but mostly it is no help in doing forensics, etc. because the intruder will either use a different shell or not be logging in as someone. For keeping an eye on a non-root user, it can be useful however.

          I have done pentests where interesting info was in a .bash_history file however.. (names of other boxes, scripts, etc. )
          Happiness is a belt-fed weapon.

          Comment


          • #6
            I know they would not use bash.
            I am more worried about the budding script-kiddie breaking in. If they break in I want to know what they have done, as they seem to be the ones who make a mess of your machine. If someone who knew what they were doing broke in, I doubt I would even know it happened. Sorry, I should have explained this in the first post.

            Regards,

            Murriandious.

            Comment


            • #7
              Originally posted by murriandious
              I know they would not use bash.
              I am more worried about the budding script-kiddie breaking in. If they break in I want to know what they have done, as they seem to be the ones who make a mess of your machine. If someone who knew what they were doing broke in, I doubt I would even know it happened. Sorry, I should have explained this in the first post.

              Regards,

              Murriandious.
              Then as skroo and chris said, .bash_history will do you no good. Perhaps something like Tripwire would be better suited for your needs.
              Happiness is a belt-fed weapon.

              Comment


              • #8
                There are substantially better ways to keep track of the activities of users on the system than relying on the shell to do it, specifically ones that function at the kernel level like process accounting.
                45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                [ redacted ]

                Comment


                • #9
                  Originally posted by murriandious
                  I know they would not use bash.
                  I am more worried about the budding script-kiddie breaking in. If they break in I want to know what they have done, as they seem to be the ones who make a mess of your machine. If someone who knew what they were doing broke in, I doubt I would even know it happened. Sorry, I should have explained this in the first post.

                  Regards,

                  Murriandious.
                  Hey! Is it October already? Somebody roll over and hit the snooze bar on the bullshit alarm, it's too early to deal with kiddies...
                  That's my story and I'm sticking to it.

                  Comment


                  • #10
                    Yes yes, I am a pathetic kiddie and always will be, sorry for wasting everyone's time, dont worry, I wont be posting here again.

                    Sorry again.

                    Regards,

                    Murriandious

                    Comment


                    • #11
                      Originally posted by murriandious
                      Yes yes, I am a pathetic kiddie and always will be, sorry for wasting everyone's time, dont worry, I wont be posting here again.

                      Sorry again.

                      Regards,

                      Murriandious

                      I don't think ndex was refering to you.. just kiddies in general. Don't take it personally.
                      Happiness is a belt-fed weapon.

                      Comment

                      Working...
                      X