First page Back Continue Last page Summary Graphics

The HoneyNet Forensic Challenge --Analysis & Findings

# cat $ROOT/home/drosen/.bash_history
- gunzip *
- tar -xvf *
- rm tpack*
- cd " "
- ./install
- exit

# find $ROOT -name " " -print

$ROOT/usr/man/.Ci/" "

Notes:

A review of the $ROOT/home/drosen directory shows a fairly typical structure and no obviously improper files. The .bash_history file reveals traces of a rootkit install in a " " directory.

A directory with a non printable 'space' for the name is very questionable. The find command was used to locate this bogus directory.

History files are often symlinked to /dev/null to hide activity

The HoneyNet Forensic Challenge --Analysis & Findings

# cat $ROOT/home/drosen/.bash_history

# find $ROOT -name " " -print

Notes: