I believe my server has just got compromised interactively.
As this server will go to thrash anyway, I wonder if I can get a better insight of what the villain is doing by forcing logging of all tty.
Years ago I've seen a kernel patch, that does just that, but I can't find it anymore. I wonder, if such patch exist (I don't know how to write one).
The best would be, if the output wouldn't be stored locally, but forwarded to my other host (e.g. by http post or even as netcat).
My host uses 3.8 mainline kernel.
I don't have a kernel-level intercept patch, but this quick and dirty shell capture script can be placed in /etc/profile.d:
This will create files in /tmp in format TIMESTAMP_TTY.log and will record almost all input / output (including special characters). The script itself does not announce thanks to the quiet flag, but is easily spotted in the process table if an attacker thinks to look.
Since you still have access to the system you could always retrieve these logs remotely, instead of pushing them out (configuring the system to push these files to a remote location opens up another target for the attacker).