From owner-freebsd-security  Thu Aug 27 11:24:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA25038
          for freebsd-security-outgoing; Thu, 27 Aug 1998 11:24:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA25022
          for <security@FreeBSD.org>; Thu, 27 Aug 1998 11:24:15 -0700 (PDT)
          (envelope-from brian@hyperreal.org)
Received: (qmail 6799 invoked by uid 24); 27 Aug 1998 18:23:23 -0000
Message-ID: <19980827182323.6798.qmail@hyperreal.org>
X-Sender: brian@hyperreal.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Thu, 27 Aug 1998 11:16:01 -0700
To: Wilson MacGyver <macgyver@cylatech.com>, security@FreeBSD.ORG
From: Brian Behlendorf <brian@hyperreal.org>
Subject: Re: post breakin log
In-Reply-To: <199808270538.BAA01341@armitage.cylatech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote:
>the log from history follows.

Is there a fool-proof way to get user histories like this?  I got one once
only because the cracker was lame enough to forget to delete his
.bash_history file.    Presuming root isn't compromised of course...

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Common sense is the collection of prejudices  |     brian@apache.org
acquired by the age of eighteen." - Einstein   |  brian@hyperreal.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message