Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 12, 2022 · 1:06 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

Daily Linux Forensics Trivia #7 -- You find an entry for a suspicious IP address in /root/.ssh/known_hosts. What conclusions can you draw from this artifact?

Hal Pomeranz · Sep 13, 2022 · 11:18 AM UTC

Hal Pomeranz · Sep 13, 2022 · 11:18 AM UTC

Hal Pomeranz @hal_pomeranz

13 Sep 2022

Trivia Answer #7 — Shout out to @DfirNotes for the first correct response. An entry in known_hosts means the account established an SSH connection to the remote host long enough to exchange public keys. It does NOT tell you whether or not there was a successful login.

Sep 13, 2022 · 11:18 AM UTC

Hal Pomeranz · Sep 13, 2022 · 11:19 AM UTC

Hal Pomeranz @hal_pomeranz

13 Sep 2022

You would have to check the logs on the remote system to determine if there was any kind of login and what happened from there.

Hal Pomeranz · Sep 13, 2022 · 11:20 AM UTC

Hal Pomeranz @hal_pomeranz

13 Sep 2022

Several folks noted, however, that the known_hosts file is just a text file and can be edited. So perhaps that entry is bogus. I recommend comparing the public host key from the remote system against the public key in the known_hosts entry as an additional level of validation.