LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Modify this history of a user (https://www.linuxquestions.org/questions/linux-newbie-8/modify-this-history-of-a-user-4175500121/)

NotionCommotion 03-31-2014 10:37 PM

Modify this history of a user
 
Hi,

Previously, I contracted someone on oDesk (a website that links IT contractors and clients) to do some work. He was competent, professional, and I believe trustworthy.

Since then, I read and researched, and built a server to the best of my abilities. The server is purely for education purposes, and I don't have anything valuable on it. I contacted the individual described above and asked him to review my server configuration, and give me a critique of the SOP I used to create it. After I gave him my IP and root username, I saw that he logged on, but don't know whether he did anything. Several hours later, he contacted me and indicated that he would not be able to proceed now and in the foreseeable future due to Internet problems (he lives in Ukraine which might explain some of those problems).

Afterwards, I deleted the normal username I gave him as I set my server up to prevent ssh'ing as root.

Later I started to question my judgement. The individual gave me know reasons to be concerned and has excellent ratings on oDesk, but I do not personally know him. And while the Linux server had no valuable information on it, I do have a Windows client on my LAN which has personnel information on it

So, when I got home, I logged on as my normal user, and su to root. I then did a history command, and saw no suspicious behavior.

Questions.
  • Is history for root the same no matter how they originally logged on?
  • Is it possible for someone to delete or modify their history?
  • Could they have done anything to compromise my Windows PC?
  • Any investigatory steps I should take?

Thank you

bcwagne 04-01-2014 01:15 AM

I realize your server is just for fun, and nothing is installed on it, but giving anyone but the administrator (in this case, you) root access to your machine is just a generally bad idea, even if you KNOW them. Giving it to someone you DON'T KNOW is pretty ridiculous. Not to mention he's apparently from Ukraine, which is a hotbed for botnets and malware. I'm not saying he did anything, but if he wanted to, you wouldn't be able to find out much. It's quite easy to turn off command logging for a time (like when first logging in), and just as easy to turn it back on later.

Here are a couple of links for interesting discussion about the history command:
http://www.linuxquestions.org/questi...ecuted-817122/
http://www.tecmint.com/history-command-examples/

Some steps I might take just to investigate would be:
-Checking the history of root.
-Checking the history of whatever username you gave him, if possible.
-Checking system and network logs to see if there is any especially unusual system activity or traffic, such as a dramatic increase in system resource use, more than normal network traffic, strange domain names or addresses, processes running that shouldn't be, etc.
-Installing a rootkit detector/anti-malware/etc.

I wouldn't deign to dictate your user policy, but here are a few generally good ideas:
-Allow only enough access to users to let them get their job done. Anything else is another avenue for potential attack.
-Don't give users root access. Just--don't.
-Make sure your firewalls, etc. are properly set up and configured. Don't make them optional.
-Disallow root login over ssh, or even disallow ANY login over ssh, if it's not something you need.

Okay, so I realize I probably blew this WAY out of proportion, and it's likely nothing bad happened, but I have a bad habit of paranoia about such things. It gets me into trouble sometimes.

pan64 04-01-2014 01:49 AM

Quote:

Originally Posted by NotionCommotion (Post 5144495)
Questions.
  • Is history for root the same no matter how they originally logged on?
  • Is it possible for someone to delete or modify their history?
  • Could they have done anything to compromise my Windows PC?
  • Any investigatory steps I should take?

Thank you

1. history can be altered by root, so usually the same, but probably not
2. yes, possible
3. yes, that could happen
4. reinstall

chrism01 04-01-2014 04:01 AM

If you're at all worried (& you probably should be), you should re-install all your systems....
Some may find that paranoid; YMMV.

NotionCommotion 04-01-2014 05:17 AM

Thank you all,

As I indicated, I deleted the normal user, so ~/.bash_history, so I can't check the specific user.

My intention all along was to re-install the Linux box. I guess I get to spend a few hours re-installing two Windows PCs today :( I have a TV on the network as well. I think I will resign that it is okay.

pan64 04-01-2014 06:25 AM

you can press YES if you really want to say thanks.
You can use the command last to check logins, probably you can catch some related info.... If you really want to analyze try to save logs before reinstall.


All times are GMT -5. The time now is 04:51 AM.