Re: bash_history from Cracked Computer

To: "Dzuy M. Nguyen" <dzuy@pacificdentalcare.com>
Cc: debian-user@lists.debian.org
Subject: Re: bash_history from Cracked Computer
From: Matthew Dalton <matthewd@research.canon.com.au>
Date: Wed, 03 May 2000 10:46:09 +1000
Message-id: <[🔎] 390F76D1.25AEAA1E@research.canon.com.au>
References: <[🔎] 015201bfb48f$1ff77fa0$e2e4cbd1@dociss>

That's an awesome trail your cracker left there...!

Does anyone know what 'anatomy' and 'kofd/kod' are? Perhaps the source
is still on the machine in /root/.dead/home/.dead/dead/ (or something
like that)

It looks like he was performing port scans from your machine (./pscan IP
PORT entries). Don't know what './b' might be.

It might also be useful/fun to do a reverse dns on the IP addresses that
appear through this log. The first one is a traceroute to 193.254.35.18:

$ nslookup 193.254.35.18

Name:  dial03-ot0.logicnet.ro
Address: 193.254.35.18

(.ro is Romania)

It's unusual that he did a 'cat .bash_history', but didn't delete it.
Maybe it's a forgery?

Comments, people?

> "Dzuy M. Nguyen" wrote:
> 
> Can someone help me figure out this "/.bash_history" from my
> computer that someone cracked into and did some damage.
> 
> I'll probably re-install the box, but I'd like to see what they did
> before I destroy it.  I've attached the "/.bash_history".
> 
> Dzuy

Reply to:

References:
- bash_history from Cracked Computer
  - From: "Dzuy M. Nguyen" <dzuy@pacificdentalcare.com>

Prev by Date: Re: where are wmakers config files?
Next by Date: MySQL *.deb's dependencies ignored? maybe?
Previous by thread: bash_history from Cracked Computer
Next by thread: Re: bash_history from Cracked Computer
Index(es):
- Date
- Thread