Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…
34
50
2
95
Daily Linux Forensics Trivia #7 -- You find an entry for a suspicious IP address in /root/.ssh/known_hosts. What conclusions can you draw from this artifact?
Sep 12, 2022 · 1:06 PM UTC
4
3
Trivia Answer #7 — Shout out to @DfirNotes for the first correct response. An entry in known_hosts means the account established an SSH connection to the remote host long enough to exchange public keys. It does NOT tell you whether or not there was a successful login.
1
1
2
You would have to check the logs on the remote system to determine if there was any kind of login and what happened from there.
1
1


