Re: Am I infected with a rootkit?
<tomas@tuxteam.de> wrote:
> On Tue, Apr 18, 2023 at 05:29:43AM +0000, David wrote:
> > On Tue, 18 Apr 2023 at 04:42, David Wright
> > <deblis@lionunicorn.co.uk> wrote:
> > > There is an option to timestamp entries in the history file. I've
> > > never used it, nor heard of its being used. That might
> > > disambiguate things if you ever suspect it might happen again.
> >
> > Hi, on my machines I use Bash as interactive
> > shell, with:
> > HISTTIMEFORMAT=: %Y%m%d_%H%M%S ;
> >
> > That provides a couple of benefits:
> >
> > 1) it writes a commented Unix timestamp with
> > each addition to the ~/.bash_history file, so that
> > the history file not only logs what commands were
> > run interactively, but also when.
> >
> > 2) when I run the 'history' command, the outpt
> > is formatted like this:
> > 501 : 20230418_151124 ; help history
> > 502 : 20230418_151406 ; env
> > 503 : 20230418_151749 ; history
> > The colon and semicolon allow the timestamp
> > to function as a no-operation command.
>
> At least in bash, this doesn't seem necessary, as you are
> only seeing an external representation: internally, bash
> keeps the timestamp separate (as happens to the seq number,
> too).
>
> In the external file, the timestamps are kept as #-comments
> in separate lines (with the UNIX timestamps in them).
bash seems to treat root and a normal user differently.
> > That means that history expansion
> > can still function, for example entering !502
> > interactively will run line number 502, but
> > only the 'env' that comes after the semicolon
> > will have any effect.
>
> I tried it out, and this also works with a "naked" timestamp,
> without the : ... ; wrapping.
>
> Caveat: I only tried with bash.
>
> Cheers
Reply to: