thx bro..
bro, I'm going to answer it quick & dirty…
cat /etc/squid.conf
cat /etc/squid/squid.conf
cat /etc/squid/squid.conf|grep parent
fg
fg command typed but not used. Its Korn shell fg built-in command related to JOB
he seems to be trying to configures squid cache to retrieve data from parent. (or change its configeration. as he is going latter from vi commang to edit the config file.
ifconfig
cd /etc
cd squid
ls
vi squid.conf
squid -D
vi squid.conf
squid -D
ps ax
ls
cd /
ls
cd squid
ls
cd /var/log
ls
cd squid
ls
ls -al
tail -f access.log
cd /etc
cd squid
vi squid.conf
squid -D runs squid in debug mode qith query output at console. debug information as to what is wrong. Alternatively look in the log file /var/logs/cache.log to see if there are any error messages. Looks like he is trying to configure parent squid cache & then run squid.
date 07052126
vi squid.conf
squid -k reconfigure
update configuration changes of squid.
ifconfig
fg
vi /etc/resolv.conf
nslookup
fixing dns problem (or poisoning?)
tail -f access.log
ls
cd /var/log/squid
tail -f access.log
ifconfig
exit
ifconfig
df
checking access log. is webserver running in the host.
date
date 30062004
man date
date 0702
date 07022122
ifconfig
cd /etc
the above date command (to change it) is invalid in Linux system but he might have got a error prompt like BELOW… and typed it which is unregistered to console log
date 07022122
The system cannot accept the date entered.
Enter the new date (mm-dd-yy)
cd squid
iwconfig
lsmod
rm wvlan_cs
rmmod wvlan_cs
modprobe orinoco_cs
cd /lib/modules
ls
cd 2.2.17-21mdk/
ls
ls
cd net
ls
cd wireless
cd ..
ls
cd ..
ls
ls
cd *k
cd misc
ls
ls o*
cd ..
cd ../net
ls
cd pcmcia
ls
modprobe wavelan_cs
iwconfig
ifconfig
df
ps ax
cd ..
cd usb
ls
ls
ls
ifconfig
ifconfig eth0 172.16.0.78
ping 172.16.1.1
dflisting removing modules… directroy browsing & changing ip address.
startx ;starting GUI
lynx ; starting lynx browser
df ;checking free space in mounted partition
cd /
df
exit
df
cat /etc/passwd ; ? he has root access & might have copied/noted password hash of other users!exit
df
df
dmesg ;boot message log
mount /dev/sda1 /usb
mount -tvfat /dev/sda1 /usb
cd /
mkdir usb
mount -tvfat /dev/sda1 /usb
mount -tvfat /dev/sdb1 /usb
dmesgdmesg print kernel messages, is very useful in determining if a piece of hardware has been found, can be very useful when troubleshooting or just trying to obtain information about the hardware on a system.
cd /proc
ls
cd scsi
ls
cd usb
ls
cat 1
cd ..
ls
cd cat scsi
cat scsi
cd ide-scsi
ls
cat 0
cd ..
ls
cd ..
ls
cd /checking /proc for respective process info.
cd /lib/modules/2.2.17-21mdk/scsi/
ls
modprobe sg
dmesg
ls mod
lsmod
ls
modprobe st ; probing module status
lsmod
cd ..
ls
cd misc
ls
ls s*
cd ..
ls
cd /
mount /dev/hdc /cdrom
mount /dev/hdb /usb
mount /dev/hdd /usbmonting……………..
cd /cdrom
cd Mandrake/RPMS/
ls
ls s*
rpm -ivh openssh-server-2.3.0p1-7.1mdk.i586.rpm
rpm -ivh openssh-server-2.3.0p1-7.1mdk.i586.rpm openssh-2.3.0p1-7.1mdk.i586.rpm
rpm -ivh openssh-server-2.3.0p1-7.1mdk.i586.rpm openssh-2.3.0p1-7.1mdk.i586.rpm
df
rpm -ivh openssh-server-2.3.0p1-7.1mdk.i586.rpm openssh-2.3.0p1-7.1mdk.i586.rpm
ls
cd ..
cd /
df
umount /dev/hdc
mount /dev/hdc /cdrom
cd /cdrom/Mandrake/RPMS/
rpm -ivh openssh-server-2.3.0p1-7.1mdk.i586.rpm openssh-2.3.0p1-7.1mdk.i586.rpminstalling SSH service. as he is accessing /cdrom & installing he must have PHYSICAL ACCESS to the machine.
service sshd start
ifconfig
ifconfig eth0 172.16.0.78
route add default gw 172.16.1.1adding route
ls
cd /
cd /home
ls
james
ls
cd james
ls
ls -al
date 07120946
ls
ls -alsoooo many date command. seems like he as been changing system dates. installing stuffs and changing date to different for different stuff.(very poorly from anti-forensic point of view.)
tar -zxvf lrk4.shad.tar.gz
Linux Rootkit 4 - Precompiled Shadowed Distribution.
there is a rootkit in the home directory of james. user james got a rootkit there. check for the ownership of the file. though ROOT user has the right to fake ownership. Could it be, he has been talking all the pain to troubleshoot his rootkit now some way he has root access so installing serivces. Its good to check if he is installing latest services or vulnerable one. it could be a insider attackOR COMPLETELY OPPOSIT…. SOMEONE TRYING TO FIX THE COMPUTER after the backdoor was discovered. but why is he changing date soooo much i intresting look.
ls
cd lrk4
ls
exit
ls
rm -fr lrk4*ls
df
ls
df
exit
date 07151427
exit
rpm -ivh nmap*
exit
cd /cdrom
cd Mandrake/RPMS/
lsrpm -ivh pine-4.30-3.1mdk.i586.rpm
installing pine email client
exit
ls sendm
ls sendm*
cd /cdrom/Mandrake/RPMS/
ls sendm*rpm -ivh sendmail-8.11.0-3mdk.i586.rpm
exit
cd /cdrom
exit
df
cd /cdrom
ls
cd Mandrake/
ls
cd RPMS
ls
rpm -ivh make
rpm -ivh make*
rpm -ivh gcc*
rpm -ivh gcc-2.9* binutils*
rpm -ivh gcc-2.9* binutils* glibc-devel*
rpm -ivh gcc-2.9* binutils* glibc-devel*
ls ke*
rpm -ivh gcc-2.9* binutils* glibc-devel* kernel-head*
exit
ls————————————
mkdir /usr/lib/.hax0r
exit
./hidef /usr/lib/.hax0r
ls -al
cd /usr/liball these could be a single person (administrator/root) or two person (another attacker doing so) check system LOGON logs to figure our what.
ls
ls -al .*
cd ..
ls
exit
insmod ./knark.oinstalling kernel module. BACKDOOR. Knark is a kernel-based rootkit for Linux 2.2.
the date command he has been using could be CUSTOM MADE. NOT OF THE Mandrake LINUX SYSTEM ITSELF.
i hope other things are self explainatory………..
he must be using so many date commands to change file stamp (created/accessed ) logs of system.
dude, if any questions let me know. i gotta do my homework now (o
exit
date
date 07131327
date 07212043
date 07241109
date 07310733
date 08020729
ls
df
date 07212043
date 07241109
date 07241154
date 08020733
ls
df
cd /cache
ls
du
df
date 08111422
ls
ls -al
cd /var/log
ls
more secure
more messages
ls
date
more security.log
ls
cd daemons
ls
more info
more warnings
more errors
ls -al
exit
scp
ssh
modprobe ohci-usb
cd /lib/modules
ls
cd *k
ls
cd usb
ls
modprobe usb-ohci
modprobe usb-uhci
modprobe uhci
modprobe usbcore
lsmod
modprobe sd
modprobe sd_mod
cd ../scsi
ls
modprobe ide-scsi
cd ..
ls
cd usb
ls
modprobe usb-storage
fantastic!!!