Can you make a fake /dev/null? And make the real one /dev/.null or something? The "normal" one would go to a log file somewhere. You would have to change every program that uses it, but it might be worth it. Or is that something built in to the kernel?
Just a thought from a clueless newbie... Rich Cloutier President, C*O SYSTEM SUPPORT SERVICES www.sysupport.com ----- Original Message ----- From: "Brian Chabot" <[EMAIL PROTECTED]> To: "Greater NH Linux Users Group" <[EMAIL PROTECTED]> Sent: Thursday, January 03, 2002 1:04 PM Subject: Bash question... > After the recent breakins on my box, I've been writing a few watch > scripts... > > One of the things the intruder did was to link his bash_history to > /dev/null. > > My question is.... > > Is there an easy way to tee the $HISTFILE to more than one location? > > Basically, I doubt this %#^$%&^ would be smart enough to have echo'd > $HISTFILE, but rather just linked .bash_history as it was pretty > commonly the $HISTFILE. > > What I want is a mirror of .bash_history stored elsewhere in case the > original gets fubar'd. > > Also, if there's a perl/networking guru, I'm looking to re-write the > trojan to look like it's working, but instead be logging the intruder's > actions, IP, etc. It's a simple backdoor (only about 2.5 pages > printed), so I might even be able to figure it out myself... > > Brian > > --------------------------------------------------------------- > | [EMAIL PROTECTED] Spam me and DIE! | > | http://www.datasquire.net | > | Co-Founder & Co-Owner of | > | Data Squire Internet Services | > --------------------------------------------------------------- > > > ***************************************************************** > To unsubscribe from this list, send mail to [EMAIL PROTECTED] > with the text 'unsubscribe gnhlug' in the message body. > ***************************************************************** > ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
