From owner-freebsd-security@freebsd.org  Tue Mar 31 16:59:17 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B019E263601
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue, 31 Mar 2020 16:59:17 +0000 (UTC) (envelope-from kalin@el.net)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com
 [IPv6:2607:f8b0:4864:20::72a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48sFsW3bymz4XNX
 for <freebsd-security@freebsd.org>; Tue, 31 Mar 2020 16:58:55 +0000 (UTC)
 (envelope-from kalin@el.net)
Received: by mail-qk1-x72a.google.com with SMTP id d11so23796543qko.3
 for <freebsd-security@freebsd.org>; Tue, 31 Mar 2020 09:58:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=el-net.20150623.gappssmtp.com; s=20150623;
 h=mime-version:from:date:message-id:subject:to;
 bh=43esRIblMs9APC4pUA3jfgAP43v7u5WBUh0Awb/GJ3Q=;
 b=NOGXWDVvcpSam8tPOfQrv1Chjn79J1C9pRDlcodFWb6BDwV4H1CIjLovwsziW8zw8G
 eQt5oySu2viOz9wCav46BFxS5jLVswIbur5+Z2ndhEne73Wx9i6CMc0B0usinRPbqCpz
 nFc5XRhT3/zedOhovhPO+z3JqVZCLsx5lx+VU++diFrWqLkHKWRdkxa4sFniE24NNaty
 mfyrOr6vqzDALY44Q5mtQKtSWV76+dHS1gbYucdh2fOKEl5F9ZZ7QyrM+pszhiRe9iTh
 Zys6y61Ax3DCRM5GBVXbwHeHK8wWK+D5wqkrgzFBTM35DurwWnDcBiu3hneasYS+gjlc
 oUtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=43esRIblMs9APC4pUA3jfgAP43v7u5WBUh0Awb/GJ3Q=;
 b=URSuz2SMrEAmEwN1a2eTi0wYpintaIz+a8NNdMSWQt97OlIUJLi/PQy6T5rCrR8uGx
 jQFyJMQYWDIVt3vIR1dqZ00bT+lVeDYGWjj4dZoDvjO3A/kjvg7IZtNau267d3GBbcsy
 z7yF5D9xNWFrHSxeEGz6iCafSIFyjFGXy35Tk7LBfOdUTpbQe7bpBibOqbfSYgl4vatU
 DFYeZ4zF7yg6umnGKF4LtfLpgvd6ztPeOJ3iSw+ND7JCvgmLwT5iquGClQd5o/ym+xVZ
 x+PUHi02bZiNnpASYal1k5Hekb+vN2NA1RtOpzsZuNnRTE+S8uyo1iwkJUv5YosQ668f
 iYzw==
X-Gm-Message-State: ANhLgQ06GUjoFLtqRbyzZ5wZjNW7hqLNyBK6Ppv7u35J1NlXazJr+08y
 fYJ3QG7Asx5luARX4gQXPXbaxZqohAK/pnJWGcvcKXJCTQ==
X-Google-Smtp-Source: ADFU+vsk1ONW7DyH8VIqX/KmkMrP8TvAsgGRKoEkv4HDSxGKLq9XKMcsSghWaGVRlFjzcfmVQpRYGs1bp7ShVPRkqWY=
X-Received: by 2002:a37:a915:: with SMTP id s21mr5989699qke.436.1585673925420; 
 Tue, 31 Mar 2020 09:58:45 -0700 (PDT)
MIME-Version: 1.0
From: el kalin <kalin@el.net>
Date: Tue, 31 Mar 2020 12:58:36 -0400
Message-ID: <CAMJXockTE3xBp=DcTocAtbFNsyEVzTy1AwO7zNPD5m6GMKD0Zg@mail.gmail.com>
Subject: root .history
To: freebsd-security@freebsd.org
X-Rspamd-Queue-Id: 48sFsW3bymz4XNX
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=el-net.20150623.gappssmtp.com header.s=20150623
 header.b=NOGXWDVv; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of kalin@el.net designates
 2607:f8b0:4864:20::72a as permitted sender) smtp.mailfrom=kalin@el.net
X-Spamd-Result: default: False [-3.01 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[el-net.20150623.gappssmtp.com:s=20150623];
 FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; DMARC_NA(0.00)[el.net];
 DKIM_TRACE(0.00)[el-net.20150623.gappssmtp.com:+];
 RCVD_IN_DNSWL_NONE(0.00)[a.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; 
 IP_SCORE(-2.01)[ip: (-9.22), ipnet: 2607:f8b0::/32(-0.35), asn: 15169(-0.45),
 country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 HFILTER_FROMHOST_NORES_A_OR_MX(1.50)[el.net];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 16:59:17 -0000

hi all...

noticed that over night the shell .history file for root was emptied. the
file is there but there is no history in it. this is unusual and it's the
second time it happens in 2 months. it's particularly peculiar since nobody
else has the root password for this machine. i can't see any ssh access in
auth.log and ssh access is limited to a handful of ips...  how could i
figure out what is emptying the .history file?

thanks...

also, the .cshrc looks like this:

    set promptchars = "%#"

        set filec
        set history = 1000
        set savehist = (1000 merge)
        set autolist = ambiguous
        # Use history to aid expansion
        set autoexpand
        set autorehash
        set mail = (/var/mail/$USER)
        if ( $?tcsh ) then
                bindkey "^W" backward-delete-word
                bindkey -k up history-search-backward
                bindkey -k down history-search-forward
        endif