LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-31-2014, 10:37 PM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 687

Rep: Reputation: Disabled
Modify this history of a user


Hi,

Previously, I contracted someone on oDesk (a website that links IT contractors and clients) to do some work. He was competent, professional, and I believe trustworthy.

Since then, I read and researched, and built a server to the best of my abilities. The server is purely for education purposes, and I don't have anything valuable on it. I contacted the individual described above and asked him to review my server configuration, and give me a critique of the SOP I used to create it. After I gave him my IP and root username, I saw that he logged on, but don't know whether he did anything. Several hours later, he contacted me and indicated that he would not be able to proceed now and in the foreseeable future due to Internet problems (he lives in Ukraine which might explain some of those problems).

Afterwards, I deleted the normal username I gave him as I set my server up to prevent ssh'ing as root.

Later I started to question my judgement. The individual gave me know reasons to be concerned and has excellent ratings on oDesk, but I do not personally know him. And while the Linux server had no valuable information on it, I do have a Windows client on my LAN which has personnel information on it

So, when I got home, I logged on as my normal user, and su to root. I then did a history command, and saw no suspicious behavior.

Questions.
  • Is history for root the same no matter how they originally logged on?
  • Is it possible for someone to delete or modify their history?
  • Could they have done anything to compromise my Windows PC?
  • Any investigatory steps I should take?

Thank you
 
Old 04-01-2014, 01:15 AM   #2
bcwagne
Member
 
Registered: Feb 2008
Distribution: Debian Testing, OSX
Posts: 164

Rep: Reputation: 32
I realize your server is just for fun, and nothing is installed on it, but giving anyone but the administrator (in this case, you) root access to your machine is just a generally bad idea, even if you KNOW them. Giving it to someone you DON'T KNOW is pretty ridiculous. Not to mention he's apparently from Ukraine, which is a hotbed for botnets and malware. I'm not saying he did anything, but if he wanted to, you wouldn't be able to find out much. It's quite easy to turn off command logging for a time (like when first logging in), and just as easy to turn it back on later.

Here are a couple of links for interesting discussion about the history command:
http://www.linuxquestions.org/questi...ecuted-817122/
http://www.tecmint.com/history-command-examples/

Some steps I might take just to investigate would be:
-Checking the history of root.
-Checking the history of whatever username you gave him, if possible.
-Checking system and network logs to see if there is any especially unusual system activity or traffic, such as a dramatic increase in system resource use, more than normal network traffic, strange domain names or addresses, processes running that shouldn't be, etc.
-Installing a rootkit detector/anti-malware/etc.

I wouldn't deign to dictate your user policy, but here are a few generally good ideas:
-Allow only enough access to users to let them get their job done. Anything else is another avenue for potential attack.
-Don't give users root access. Just--don't.
-Make sure your firewalls, etc. are properly set up and configured. Don't make them optional.
-Disallow root login over ssh, or even disallow ANY login over ssh, if it's not something you need.

Okay, so I realize I probably blew this WAY out of proportion, and it's likely nothing bad happened, but I have a bad habit of paranoia about such things. It gets me into trouble sometimes.
 
1 members found this post helpful.
Old 04-01-2014, 01:49 AM   #3
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,203

Rep: Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675
Quote:
Originally Posted by NotionCommotion View Post
Questions.
  • Is history for root the same no matter how they originally logged on?
  • Is it possible for someone to delete or modify their history?
  • Could they have done anything to compromise my Windows PC?
  • Any investigatory steps I should take?

Thank you
1. history can be altered by root, so usually the same, but probably not
2. yes, possible
3. yes, that could happen
4. reinstall
 
1 members found this post helpful.
Old 04-01-2014, 04:01 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,356

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
If you're at all worried (& you probably should be), you should re-install all your systems....
Some may find that paranoid; YMMV.
 
1 members found this post helpful.
Old 04-01-2014, 05:17 AM   #5
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 687

Original Poster
Rep: Reputation: Disabled
Thank you all,

As I indicated, I deleted the normal user, so ~/.bash_history, so I can't check the specific user.

My intention all along was to re-install the Linux box. I guess I get to spend a few hours re-installing two Windows PCs today I have a TV on the network as well. I think I will resign that it is okay.
 
Old 04-01-2014, 06:25 AM   #6
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,203

Rep: Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675Reputation: 2675
you can press YES if you really want to say thanks.
You can use the command last to check logins, probably you can catch some related info.... If you really want to analyze try to save logs before reinstall.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] why chown user:group wildcard in path /home/user/.*/* will modify all /home owner cociugcristina Linux - Server 11 05-07-2013 04:16 AM
Modify history command on the fly rodusa Linux - Newbie 7 04-15-2013 08:51 AM
how to see the history of a particular user nandu neerukonda Linux - Newbie 7 10-29-2011 06:38 AM
user history elainelaw Linux - Software 1 07-29-2010 05:02 AM


All times are GMT -5. The time now is 08:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration