Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a recently installed Ubuntu Karmic with standard packages. I enabled automatic security updates and manually updated every package once. I have the root account enabled. At ~1am GMT my .bash_history file for the root account has been truncated to zero. I think the PC may have crashed (no keyboard, mouse, etc, but still some HD activity) at around this time. The disk isn't full, but this is a fresh install, I do not have direct net access (NAT) and I have only visited a limited number of web sites.
Can anyone think of innocuous reasons this would happen?
Last edited by boblikeslinux; 02-09-2010 at 02:17 PM.
No, searched your syslogs and auth records for any anomalies? Are there any ~/.bash* configuration files (say the ~/.bash_log* ones) that include a "cleanup" line?
There are no cleanup lines, and it doesn't seem like something they would make updating packages do.
Yet, it's so unlikely to have been hacked with such limited exposure to the net. And for someone who hacked it with that limited exposure to be clumsy enough to truncate the .bash_history instead of just disabling their session history? That also seems weird...
Yet, it's so unlikely to have been hacked with such limited exposure to the net. And for someone who hacked it with that limited exposure to be clumsy enough to truncate the .bash_history instead of just disabling their session history? That also seems weird...
I'd rather deal with facts than the chance of something being "likely" or "unlikely". Does "env | grep HIST" show any HISTFILESIZE, HISTSIZE and HISTIGNORE environment variables perhaps?
I'd rather deal with facts than the chance of something being "likely" or "unlikely". Does "env | grep HIST" show any HISTFILESIZE, HISTSIZE and HISTIGNORE environment variables perhaps?
No history stuff. My bash history is once again collecting normally, it didn't stay a zero size file.
Quote:
Originally Posted by chrism01
Can you check /var/log/messages, dmesg to see if your system did in fact crash/reboot?
The only activity around that time is:
Feb 9 01:05:45 box kernel: Kernel logging (proc) stopped.
Feb 9 01:05:45 box rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="513" x-info="http://www.rsyslog.com"] exiting on signal 15.
It's about the time I stopped using the system. The history file was truncated at 1:05 am too. I can't remember if the system crashed or I shut it down (yesterday the OS was in a different box which is prone to crashing) but it does closely match the time I went to bed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.