Something Bad Has Happened

shanenin

By shanenin,
in Linux & Unix

 Share Followers 0

Recommended Posts

shanenin

shanenin

Posted
Posted (edited)

I noticed my root bash history is only 68 lines, it used to be 500. My first reaction was it has been deleted(and not by me)

edit added later//

I accidently ran this script in my root home directory, but this should not have deleted any hidden files

 for i in *; do if [ -f $i ]; then echo $i; fi; done

Edited by shanenin
Link to post
Share on other sites
hitest

hitest

Posted
Posted
I'm a "linux expert"(kinda) , but am not really sure where to start looking. I did run this command, 'last' to show last logins. I did not see anything like a remote login.

<{POST_SNAPBACK}>

I know you're probably running your Gentoo box behind some kind of firewall. Are you seeing any other indications that you may have been compromised?

I used to run an apache server out of my house, but, it got hacked. I ran a web server back when I started using Linux. Good luck, shanenin!! :thumbsup:

I also hate that feeling that you've been hacked.

Link to post
Share on other sites
shanenin

shanenin

Posted
  • Author
Posted

I think i must have done something dumb. looking at my history, it shows I was cleaning stuff out of my home directory, I had some stuff owned by root, so I was running as root. if you notice the command fileclean, that was that for statment I was using to delete all non directorys. Here is where my histroy must have gotten deleted

mainbox root # history
    1  cfdisk
    2  fileclean
    3  ls /home/shane
    4  ls
    5  nano /home/shane/bin/fileclean
    6  fileclean
    7  ls /home/shane
    8  fileclean
    9  ls
   10  rm -rf {7,bash*,clean,elec*newfi*,pad*,pass*,phone*,soprano*,test/*,te~}
   11  ls
   12  rm -rf {7,bash*,clean,elec*,newfi*,pad*,pass*,phone*,soprano*,test/*,te~}   13  ls
   14  rm sopanos-season2/
   15  rm -rf sopanos-season2/

Link to post
Share on other sites
hitest

hitest

Posted
Posted
I think i must have done something dumb. looking at my history, it shows I was cleaning stuff out of my home directory, I had some stuff owned by root, so I was running as root. if you notice the command fileclean, that was that for statment I was using to delete all non directorys. Here is where my histroy must have gotten deleted

mainbox root # history
    1  cfdisk
    2  fileclean
    3  ls /home/shane
    4  ls
    5  nano /home/shane/bin/fileclean
    6  fileclean
    7  ls /home/shane
    8  fileclean
    9  ls
   10  rm -rf {7,bash*,clean,elec*newfi*,pad*,pass*,phone*,soprano*,test/*,te~}
   11  ls
   12  rm -rf {7,bash*,clean,elec*,newfi*,pad*,pass*,phone*,soprano*,test/*,te~}   13  ls
   14  rm sopanos-season2/
   15  rm -rf sopanos-season2/

<{POST_SNAPBACK}>

I haven't used cfdisk I use fdisk when I partition my HD for slackware. With cfdisk were you using that to partition your HD or delete files?

Link to post
Share on other sites
hitest

hitest

Posted
Posted
I was just wanting to look at my disk partitions, so I ran cfdisk. I did not do anything else with it.

<{POST_SNAPBACK}>

Right. I've done that with fdisk too.

Maybe some of the uber users like iccaros or jcl can help you, figure out what file you've taken out with rm that might have caused this behavior.

Is iccaros still around? I haven't been around too much with holidays. It's good to be home. :D

Link to post
Share on other sites
hitest

hitest

Posted
Posted
iccaros seems like a really busy guy. I would guess he is going about 100 difffernt things in his lfe. I am sure he will be back.

<{POST_SNAPBACK}>

He certainly is! Last I heard he was completing a college programming course and of course working on his distro. He is a hard worker indeed.

Link to post
Share on other sites
  • 2 weeks later...
iccaros

iccaros

Posted
Posted (edited)
I think i must have done something dumb. looking at my history, it shows I was cleaning stuff out of my home directory, I had some stuff owned by root, so I was running as root. if you notice the command fileclean, that was that for statment I was using to delete all non directorys. Here is where my histroy must have gotten deleted

mainbox root # history
    1  cfdisk
    2  fileclean
    3  ls /home/shane
    4  ls
    5  nano /home/shane/bin/fileclean
    6  fileclean
    7  ls /home/shane
    8  fileclean
    9  ls
   10  rm -rf {7,bash*,clean,elec*newfi*,pad*,pass*,phone*,soprano*,test/*,te~}
   11  ls
   12  rm -rf {7,bash*,clean,elec*,newfi*,pad*,pass*,phone*,soprano*,test/*,te~}   13  ls
   14  rm sopanos-season2/
   15  rm -rf sopanos-season2/

<{POST_SNAPBACK}>

I haven't used cfdisk I use fdisk when I partition my HD for slackware. With cfdisk were you using that to partition your HD or delete files?

<{POST_SNAPBACK}>

the only thing I can think is your .bash_history was deleted when you did rm -rf bash*.. but its twice in your history still.. so that truly rules that out.

look in /var/log/everything/current

see if you find anything.

Edited by iccaros
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing