Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…
34
50
2
95
Daily Linux Forensics Trivia #7 -- You find an entry for a suspicious IP address in /root/.ssh/known_hosts. What conclusions can you draw from this artifact?

Sep 12, 2022 · 1:06 PM UTC

4
3
Trivia Answer #7 — Shout out to @DfirNotes for the first correct response. An entry in known_hosts means the account established an SSH connection to the remote host long enough to exchange public keys. It does NOT tell you whether or not there was a successful login.
1
1
2
You would have to check the logs on the remote system to determine if there was any kind of login and what happened from there.
1
1
Several folks noted, however, that the known_hosts file is just a text file and can be edited. So perhaps that entry is bogus. I recommend comparing the public host key from the remote system against the public key in the known_hosts entry as an additional level of validation.
2
Replying to @hal_pomeranz
Root connected via ssh to a “suspicious IP”, don’t know if login was successful or not. What else?
Replying to @hal_pomeranz
No conclusions there - but food for further investigation. #WhatsYourLevelOfConfidenceInWhatYouThinkYouKnow == primary concept for forensics. Rarely 100%, but determines the level of inference and directions of search. "it is consistent with..." !== "it is"
Replying to @hal_pomeranz
Sounds like an ssh client may have been executed as root and was at least partially successful at connecting to the host listed. Or the file was just modified ( text format)