Home / ubuntu / Questions / 1148919
In Process
alebal
Asked: 2019-06-06 13:11:17 +0800 CST

No more bash history, new hidden folders in www directory, what happens to my server?

  • 772

For a while, when I access my ubuntu 18.04 server on vultr, by clicking the up arrow, I no longer see the bash history. It is always empty, even if I write some commands, then I exit the server and re-enter, the bash history is empty again.

I immediately thought it was the fault of some updates.

But the other day I noticed new hidden folders in my /www directory

/www
    .local
    .config
    .ssh

and a new file: .bash_history Inside the file is this:

su
sudo cat ssh_host_rsa_key
ssh localhost
ssh localhost -p 65262
ssh localhost -p 65262 -u root
ssh root@localhost:65262
ssh [email protected]:65262
ssh root@localhost -p 65262
ssh root@localhost -p 65262 -i /etc/ssh/ssh_host_rsa_key
ssh root@localhost -p 65262 -i "/etc/ssh/ssh_host_rsa_key"
su root
su myuser

65262 is my old ssh port, I changed it, just for sure.

What's happening to my server? Is there anyone playing with it without my knowing it?

On my server I disabled the ssh login with password, disabled the root user, installed fail2ban with filter on ssh, changed the ssh port.

And so far I haven't seen any changes to my sites or my files.

I can't understand if it's just an update and a normal server behavior or if it's something more dangerous. Can you help me understand?

Update

I pasted the echo in a terminal, this is the result, but I have no idea if it is correct, wrong or if there is something strange. 

HISTFILE=
HISTFILESIZE=2000
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
PS1=[\e]0;\u@\h: \w\a]${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$

if I write this: 

sudo nano ~/.bash_logout

I see this: 

# ~/.bash_logout: executed by bash(1) when login shell exits.

# when leaving the console clear the screen to increase privacy

if [ "$SHLVL" = 1 ]; then
    [ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi

It's normal???

And .profile comments say this, and seem to use the new dir I saw on my www:

# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
        . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
    PATH="$HOME/.local/bin:$PATH"
fi
server command-line ssh bash

1 Answers

  1. NOT normal behaviour! Read man bash, the 'INVOCATION' section. Carefully inspect /etc/profile, /etc/bash.bashrc, ~/.bash_profile, ~/.bash_login, ~/.bash_logout, and ~/.profile. Additionally, look at all files source'd (or .ed) in those files.

    In a running shell, look at

    echo "HISTFILE=$HISTFILE"
echo "HISTFILESIZE=$HISTFILESIZE"
echo "PATH=$PATH"
echo "PS1=$PS1"
    • 0