Wednesday 1 February 2006

Faking bash history

In the bad old days, hackers get a root shell and disable bash_history so the true owner of the system wouldn’t know what they’d been up to.

These days they get a reverse shell via icmp or some such and don’t even generate a bash history so it doesn’t really matter that bash with readline enables the selective prevention of command logging in bash_history.

Try this;
  1. get a bash shell
  2. type a command; maybe: zookie
  3. close the bash shell
  4. get a bash shell
  5. press the up arrow, there is your command, nicely in bash history.
  6. close the bash shell

Now try this:
  1. get a bash shell
  2. type a command, maybe: secret-command
  3. press the up-arrow
  4. ^U (or lots of backspace) to delete the command
  5. type a new command but don’t press enter, maybe: mundane-command
  6. press down-arrow
  7. press enter

Now if you press up-arrow you will see mundane-command instead of secret-command, if you quit the shell and get a new shell, your command history shows the mundane-command which you did NOT execute instead of the secret-command that you DID execute.


No comments:

Post a Comment