John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack.
Take a look at the following Linux logfile snippet. The hacker compromised and “owned” a Linux machine. What is the hacker trying to accomplish here?
[root@apollo /]# rm rootkit.c
root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm – rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 59 ? 00:00:00 inetd
m: cannot remove `/tmp/h’: No such file or directory
m: cannot remove `/usr/sbin/rpc.portmap’: No such file or directory [root@apollo /]# ps -aux | grep portmap
root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm – rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd
m: cannot remove `/sbin/portmap’: No such file or directory
m: cannot remove `/tmp/h’: No such file or directory
>rm: cannot remove `/usr/sbin/rpc.portmap’: No such file or directory root@apollo /]# rm: cannot remove `/sbin/portmap’: No such file or directory
A.
The hacker is attempting to compromise more machines on the network
B.
The hacker is trying to cover his tracks
C.
The hacker is running a buffer overflow exploit to lock down the system
D.
The hacker is planting a rootkit
Explanation:
By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks.
B is the answer as the hacker is trying to delete the hstry
cannot remove `/usr/sbin/rpc.portmap’: No such file or directory root@apollo /]# rm: cannot remove `/sbin/portmap’: No such file or directory
I have the same idea.