need someone to look into this bash history

bytez · 10-16-2006, 12:07 PM

I submitted a ticket to support in regards to an iptables problem. After he had closed the ticket, I checked the .bash_history file and I was shocked.

It seems like the tech don't know basic linux commands, why in the world is he using backslashes? And he did rm -rf \\/ rm -rf \\ for what reason?

I don't know what he is trying to do!

What could you guys make out of this?

Code:

vi /etc/sysconfig/iptables
ls
mkdir \
mkdir \\
ls
cd \\/
cd ..
cd \/
cd \\
chmod 777 \\/
cd
 chmod 777 \\/
ls
ls -l
rm -rf \\/
touch \\
chmod 777 \\
ls
cd /
cd
cd \\
cd \\\
rm -rf \\
lsd
ls
vi /etc/sysconfig/iptables
ifconfig|grep 63.246.x.x
vi /etc/apf/conf.apf
iptables -F
iptables -F
/etc/init.d/iptables save
iptables -L
apf -r
iptables -L
vi /etc/sysconfig/iptables

usaf_sp · 10-16-2006, 12:45 PM

vi is a text editor. It looks like he edited the iptables file manually.

It is possible that he saved a backup of the iptables while using the text editor and tried to remove it or something like it.

He probably had problems with permissions and tried to force the removal, but I am unsure why he used the -r switch (-r means recursive)

using \\ does not make sense.

touch' changes the access and/or modification times of the specified
files.

The iptables -F command flushes or deletes all rules in a chain.

You are probably right about not knowing basic linux syntax.

You should check to make sure that your firewall is not allowing unauthorized access.

If you are unsure what a command does, you can simply use the info and man commands to get an explanation. Example:

info iptables
man iptables

cs-cam · 10-16-2006, 06:57 PM

Depending on your setup with support, the tech may have been using a web based system to access your machine in which case the extra backslashes may be the by-product of overly escape-happy web app.

bytez · 10-16-2006, 07:37 PM

will rm -rf / remove all files on the server?

this tech could've done a lot of damage.

cs-cam · 10-16-2006, 08:17 PM

Yes but were all the files on the server removed? I'd be betting that chances are he didn't access the server using regular ssh and the history isn't 100% accurate. The history also shows him running touch, chmod and mkdir without valid arguments, he didn't run rm -rf / so I wouldn't stress.

trickykid · 10-16-2006, 09:14 PM

Let this be a lesson, don't trust tech support to handle issues you can probably handle on your own. Is this your own server or I'm assuming a rented dedicated type host provider your using?

usaf_sp · 10-16-2006, 10:00 PM

The proper death command is:

rm /* -rf

I learned this the hard way. I was trying to clean my /tmp folder and forgot to put tmp into the path. LOL I really messed things up.

bytez · 10-16-2006, 10:26 PM

Quote:

Originally Posted by cs-cam

Yes but were all the files on the server removed? I'd be betting that chances are he didn't access the server using regular ssh and the history isn't 100% accurate. The history also shows him running touch, chmod and mkdir without valid arguments, he didn't run rm -rf / so I wouldn't stress.

Thankfully not. Hmm, so why did some commands get logged in the history and some not? Is there any way to log all commands issued by ssh? I noticed some commands I issued don't get logged into the .bash_history file.

Yes, it's a rented dedicated server used to host some websites.