That's an awesome trail your cracker left there...! Does anyone know what 'anatomy' and 'kofd/kod' are? Perhaps the source is still on the machine in /root/.dead/home/.dead/dead/ (or something like that)
It looks like he was performing port scans from your machine (./pscan IP PORT entries). Don't know what './b' might be. It might also be useful/fun to do a reverse dns on the IP addresses that appear through this log. The first one is a traceroute to 193.254.35.18: $ nslookup 193.254.35.18 Name: dial03-ot0.logicnet.ro Address: 193.254.35.18 (.ro is Romania) It's unusual that he did a 'cat .bash_history', but didn't delete it. Maybe it's a forgery? Comments, people? > "Dzuy M. Nguyen" wrote: > > Can someone help me figure out this "/.bash_history" from my > computer that someone cracked into and did some damage. > > I'll probably re-install the box, but I'd like to see what they did > before I destroy it. I've attached the "/.bash_history". > > Dzuy