On Thu, 2003-11-13 at 22:37, John J. Trammell wrote: > On Thu, Nov 13, 2003 at 08:34:06PM -0600, Tom Penney wrote: > > I just noticed that the .bash_history file is gone on a box that I am > > supposedly the only one with root access. RedHat 7.2. Can anyone think > > of a legitimate reason why the history might vanish? > > > > Just for kicks, what does chkrootkit say? On Thu, 2003-11-13 at 22:32, rware at interplastic.com wrote: > You were playing with rm and * ;) I indeed was using rm -i ./* in a completely different directory. I thought I contained my deletion to the files I intended to delete. I did download and run chrootkit which did not find anything. I did not not boot the machine clean though, I just ran it. I also have been running tripwire on this machine for over a year. Tripwire finds nothing. I did find out that a software developer does have root access to this machine, and he did su. I do completely trust this person (should I?) and he does have every right to be root on this machine and a legitimate need. I did not realize he wrote down the password I gave him months ago. He claims he did nothing to the history. Can anyone think of a way I or my colleague could have inadvertently cleared the history? I know history -c will do the job but I don't see how that could be done by mistake. Maybe I'm being too paranoid but it bothers me. If someone is good enough root this box and to hide it from both chkrootkit and tripwire you would think they would have just deleted the the incriminating lines from the history so they would not be discovered. - Tom -- Tom Penney <blots at visi.com> _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list