Aug 1 12:41:15 bastion LinuxCommandsWazuh: User ubuntu [426140]: 30 sudo su ak Aug 1 12:41:16 bastion LinuxCommandsWazuh: User ubuntu [426140]: 31 ls Aug 1 12:41:22 bastion LinuxCommandsWazuh: User ubuntu [426140]: 32 cd .. Aug 1 12:41:23 bastion LinuxCommandsWazuh: User ubuntu [426140]: 33 ls Aug 1 12:41:25 bastion LinuxCommandsWazuh: User ak [426172]: 102 sudo su ubuntu Aug 1 12:41:26 bastion LinuxCommandsWazuh: User ak [426172]: 103 la Aug 1 12:41:28 bastion LinuxCommandsWazuh: User ak [426172]: 104 ls Aug 1 12:41:28 bastion LinuxCommandsWazuh: User ak [426172]: 105 cd Aug 1 12:41:29 bastion LinuxCommandsWazuh: User ak [426172]: 106 s Aug 1 12:41:30 bastion LinuxCommandsWazuh: User ak [426172]: 107 ls Aug 1 12:44:38 bastion LinuxCommandsWazuh: User ak [426172]: 107 ls Aug 1 12:44:39 bastion LinuxCommandsWazuh: User ak [426172]: 108 cd test/ Aug 1 12:44:40 bastion LinuxCommandsWazuh: User ak [426172]: 109 ls Aug 1 12:44:42 bastion LinuxCommandsWazuh: User ak [426172]: 110 cd .. Aug 1 12:44:43 bastion LinuxCommandsWazuh: User ak [426172]: 111 ls Aug 1 12:44:43 bastion LinuxCommandsWazuh: User ak [426172]: 112 cd Aug 1 12:45:03 bastion LinuxCommandsWazuh: User ak [426172]: 113 cat /etc/profile Aug 1 12:45:57 bastion LinuxCommandsWazuh: User ubuntu [426363]: 30 sudo su ak Aug 1 12:46:01 bastion LinuxCommandsWazuh: User root [426376]: 39 exit Aug 1 12:46:09 bastion LinuxCommandsWazuh: User root [426376]: 40 mkdir /var/chroot Aug 1 12:46:14 bastion LinuxCommandsWazuh: User root [426376]: 41 mkdir /var/chroot/dev Aug 1 12:46:19 bastion LinuxCommandsWazuh: User root [426376]: 42 cd /var/chroot/dev Aug 1 12:46:24 bastion LinuxCommandsWazuh: User root [426376]: 43 mknod -m 666 null c 1 3 Aug 1 12:46:28 bastion LinuxCommandsWazuh: User root [426376]: 44 mknod -m 666 tty c 5 0 Aug 1 12:46:34 bastion LinuxCommandsWazuh: User root [426376]: 45 mknod -m 666 zero c 1 5 Aug 1 12:46:38 bastion LinuxCommandsWazuh: User root [426376]: 46 mknod -m 666 random c 1 8 Aug 1 12:46:43 bastion LinuxCommandsWazuh: User root [426376]: 47 chown root:root /var/chroot Aug 1 12:46:48 bastion LinuxCommandsWazuh: User root [426376]: 48 chmod 755 /var/chroot Aug 1 12:46:54 bastion LinuxCommandsWazuh: User root [426376]: 49 mkdir /var/chroot/bin Aug 1 12:46:58 bastion LinuxCommandsWazuh: User root [426376]: 50 cp /bin/bash /var/chroot/bin Aug 1 12:47:03 bastion LinuxCommandsWazuh: User root [426376]: 51 ldd /bin/bash Aug 1 12:47:08 bastion LinuxCommandsWazuh: User root [426376]: 52 mkdir -p /var/chroot/lib/x86_64-linux-gnu /var/chroot/lib64 Aug 1 12:47:15 bastion LinuxCommandsWazuh: User root [426376]: 53 cp /lib/x86_64-linux-gnu/{libtinfo.so.6,libdl.so.2,libc.so.6} /var/chroot/lib/x86_64-linux-gnu Aug 1 12:47:21 bastion LinuxCommandsWazuh: User root [426376]: 54 cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64 Aug 1 12:47:31 bastion LinuxCommandsWazuh: User root [426376]: 55 mkdir /var/chroot/etc Aug 1 12:47:35 bastion LinuxCommandsWazuh: User root [426376]: 56 cp /etc/{passwd,group} /var/chroot/etc Aug 1 12:48:23 bastion LinuxCommandsWazuh: User root [426376]: 57 sudo nano /etc/ssh/sshd_config Aug 1 12:48:31 bastion LinuxCommandsWazuh: User root [426376]: 58 systemctl restart sshd Aug 1 12:48:40 bastion LinuxCommandsWazuh: User root [426376]: 59 mkdir -p /var/chroot/home/ak Aug 1 12:48:45 bastion LinuxCommandsWazuh: User root [426376]: 60 chown example:example /var/chroot/home/example Aug 1 12:48:59 bastion LinuxCommandsWazuh: User root [426376]: 61 chown ak:ak /var/chroot/home/ak Aug 1 12:49:04 bastion LinuxCommandsWazuh: User root [426376]: 62 chmod 700 /var/chroot/home/ak Aug 1 12:49:21 bastion LinuxCommandsWazuh: User root [426376]: 63 vi t.sh Aug 1 12:49:36 bastion LinuxCommandsWazuh: User root [426376]: 64 chmod +x t.sh Aug 1 12:50:10 bastion LinuxCommandsWazuh: User root [426376]: 65 ./t.sh /bin/{chsh,ls,cat,echo,rm,vi,date,mkdir,whoami,sed,logger} Aug 1 12:57:53 bastion LinuxCommandsWazuh: User ak [426172]: 113 cat /etc/profile Aug 1 12:57:53 bastion LinuxCommandsWazuh: message repeated 2 times: [ User ak [426172]: 113 cat /etc/profile] Aug 1 12:57:54 bastion LinuxCommandsWazuh: User ubuntu [426140]: 34 sudo su ak Aug 1 12:57:55 bastion LinuxCommandsWazuh: User ak [426723]: 114 exit Aug 1 12:57:57 bastion LinuxCommandsWazuh: User ubuntu [426140]: 34 sudo su ak Aug 1 12:59:15 bastion LinuxCommandsWazuh: User root [426376]: 66 cat /home/ak/.bashrc Aug 1 12:59:16 bastion LinuxCommandsWazuh: message repeated 2 times: [ User root [426376]: 66 cat /home/ak/.bashrc] Aug 1 12:59:37 bastion LinuxCommandsWazuh: User root [426376]: 67 sudo chown ak:ak /var/chroot/home/ak/.bashrc /var/chroot/home/ak/.bash_p Aug 1 12:59:46 bastion LinuxCommandsWazuh: User root [426376]: 68 sudo chown ak:ak /var/chroot/home/ak/.bashrc Aug 1 12:59:51 bastion LinuxCommandsWazuh: User root [426376]: 69 ls Aug 1 12:59:52 bastion LinuxCommandsWazuh: User root [426376]: 70 cd .. Aug 1 12:59:52 bastion LinuxCommandsWazuh: User root [426376]: 71 ls Aug 1 12:59:54 bastion LinuxCommandsWazuh: User root [426376]: 72 cd home/ Aug 1 12:59:54 bastion LinuxCommandsWazuh: User root [426376]: 73 ls Aug 1 12:59:57 bastion LinuxCommandsWazuh: User root [426376]: 74 cd ak/ Aug 1 13:10:13 bastion LinuxCommandsWazuh: User root [426376]: 75 cd Aug 1 13:10:18 bastion LinuxCommandsWazuh: User root [426376]: 76 cd /etc Aug 1 13:10:26 bastion LinuxCommandsWazuh: User root [426376]: 77 cat profile Aug 1 13:10:49 bastion LinuxCommandsWazuh: User root [426376]: 78 vi profile Aug 1 13:12:46 bastion LinuxCommandsWazuh: User root [426376]: 78 vi profile Aug 1 13:12:46 bastion LinuxCommandsWazuh: User root [426376]: 79 cd Aug 1 13:12:47 bastion LinuxCommandsWazuh: User root [426376]: 80 ls Aug 1 13:12:49 bastion LinuxCommandsWazuh: User root [426376]: 81 cd /home/ Aug 1 13:12:49 bastion LinuxCommandsWazuh: User root [426376]: 82 ls Aug 1 13:12:50 bastion LinuxCommandsWazuh: User root [426376]: 83 cd ak/ Aug 1 13:12:51 bastion LinuxCommandsWazuh: User root [426376]: 84 ls Aug 1 13:12:55 bastion LinuxCommandsWazuh: User root [426376]: 85 cp .bashrc /var/chroot/home/ak Aug 1 13:13:09 bastion LinuxCommandsWazuh: User root [426376]: 86 cd Aug 1 13:13:09 bastion LinuxCommandsWazuh: User root [426376]: 87 ls Aug 1 13:13:12 bastion LinuxCommandsWazuh: User root [426376]: 88 cd /var/ Aug 1 13:13:12 bastion LinuxCommandsWazuh: User root [426376]: 89 ls Aug 1 13:13:13 bastion LinuxCommandsWazuh: User root [426376]: cd chroot/ Aug 1 13:13:14 bastion LinuxCommandsWazuh: User root [426376]: 1 ls Aug 1 13:13:15 bastion LinuxCommandsWazuh: User root [426376]: 2 cd en Aug 1 13:13:17 bastion LinuxCommandsWazuh: User root [426376]: 3 cd etc/ Aug 1 13:13:17 bastion LinuxCommandsWazuh: User root [426376]: 4 ls Aug 1 13:13:19 bastion LinuxCommandsWazuh: User root [426376]: 5 cd Aug 1 13:13:36 bastion LinuxCommandsWazuh: User root [426376]: 6 cp /etc/profile /var/chroot/etc/ Aug 1 13:13:56 bastion LinuxCommandsWazuh: User root [426376]: 6 cp /etc/profile /var/chroot/etc/ Aug 1 13:13:57 bastion LinuxCommandsWazuh: message repeated 2 times: [ User root [426376]: 6 cp /etc/profile /var/chroot/etc/] Aug 1 13:13:58 bastion LinuxCommandsWazuh: User root [426376]: 7 cd Aug 1 13:13:58 bastion LinuxCommandsWazuh: User root [426376]: 8 ls Aug 1 13:14:02 bastion LinuxCommandsWazuh: User root [426376]: cd /etc/ Aug 1 13:14:24 bastion LinuxCommandsWazuh: User root [426376]: 100 sudo vi profile Aug 1 13:14:39 bastion LinuxCommandsWazuh: User root [426376]: 101 rm /var/chroot/etc/profile Aug 1 13:14:57 bastion LinuxCommandsWazuh: User root [426376]: 102 cd Aug 1 13:15:15 bastion LinuxCommandsWazuh: User root [426376]: 103 cd /var/chroot/home/ak/ Aug 1 13:15:15 bastion LinuxCommandsWazuh: User root [426376]: 104 ls Aug 1 13:15:33 bastion LinuxCommandsWazuh: User root [426376]: 105 vi .bash_profile Aug 1 13:16:03 bastion LinuxCommandsWazuh: User root [426376]: 106 sudo chown ak:ak /home/ak/.bashrc /home/ak/.bash_profile Aug 1 13:16:03 bastion LinuxCommandsWazuh: User root [426376]: 107 sudo chmod 644 /home/ak/.bashrc /home/ak/.bash_profile Aug 1 13:16:20 bastion LinuxCommandsWazuh: User root [426376]: 108 sudo chmod 644 /var/chroot/home/ak/.bashrc /var/chroot/home/ak/.bash_profile Aug 1 13:16:54 bastion LinuxCommandsWazuh: User root [426376]: 109 sudo chown ak:ak /var/chroot/home/ak/.bashrc /var/chroot/home/ak/.bash_profile Aug 1 13:16:55 bastion LinuxCommandsWazuh: User root [426376]: 110 sudo chmod 644 /var/chroot/home/ak/.bashrc /var/chroot/home/ak/.bash_profile Aug 1 13:17:14 bastion LinuxCommandsWazuh: User root [426376]: 111 grep ^ak: /etc/passwd Aug 1 13:17:40 bastion LinuxCommandsWazuh: User root [426376]: 112 cp /etc/{passwd,group} /var/chroot/etc Aug 1 13:20:17 bastion LinuxCommandsWazuh: User root [426376]: 113 sudo chroot /var/chroot /bin/bash Aug 1 13:20:25 bastion LinuxCommandsWazuh: User root [426376]: 114 chown ak:ak /var/chroot/home/ak Aug 1 13:23:44 bastion LinuxCommandsWazuh: User root [426376]: 114 chown ak:ak /var/chroot/home/ak Aug 1 13:23:44 bastion LinuxCommandsWazuh: message repeated 2 times: [ User root [426376]: 114 chown ak:ak /var/chroot/home/ak] Aug 1 13:23:56 bastion LinuxCommandsWazuh: User root [426376]: 115 chmod 644 /var/chroot/etc/passwd Aug 1 13:27:34 bastion LinuxCommandsWazuh: User root [426376]: 116 cd .. Aug 1 13:27:41 bastion LinuxCommandsWazuh: message repeated 3 times: [ User root [426376]: 116 cd ..] Aug 1 13:27:43 bastion LinuxCommandsWazuh: User root [426376]: 117 ls Aug 1 13:28:05 bastion LinuxCommandsWazuh: User root [426376]: 118 rm -rf /var/chroot/ Aug 1 13:28:08 bastion LinuxCommandsWazuh: User root [426376]: 119 cd Aug 1 13:28:08 bastion LinuxCommandsWazuh: User root [426376]: 120 ls Aug 1 13:28:32 bastion LinuxCommandsWazuh: User root [426376]: 121 sudo nano /etc/ssh/sshd_config Aug 1 13:30:09 bastion LinuxCommandsWazuh: User root [426376]: 122 systemctl restart sshd Aug 1 13:30:12 bastion LinuxCommandsWazuh: User ak [428107]: 114 exit Aug 1 13:30:13 bastion LinuxCommandsWazuh: message repeated 3 times: [ User ak [428107]: 114 exit] Aug 1 13:30:16 bastion LinuxCommandsWazuh: User root [426376]: 122 systemctl restart sshd Aug 1 13:30:16 bastion LinuxCommandsWazuh: message repeated 2 times: [ User root [426376]: 122 systemctl restart sshd] Aug 1 13:32:36 bastion LinuxCommandsWazuh: User root [426376]: 123 mkdir /var/chroot Aug 1 13:32:41 bastion LinuxCommandsWazuh: User root [426376]: 124 mkdir /var/chroot/dev Aug 1 13:32:44 bastion LinuxCommandsWazuh: User root [426376]: 125 cd /var/chroot/dev Aug 1 13:32:49 bastion LinuxCommandsWazuh: User root [426376]: 126 mknod -m 666 null c 1 3 Aug 1 13:32:53 bastion LinuxCommandsWazuh: User root [426376]: 127 mknod -m 666 tty c 5 0 Aug 1 13:32:57 bastion LinuxCommandsWazuh: User root [426376]: 128 mknod -m 666 zero c 1 5 Aug 1 13:33:01 bastion LinuxCommandsWazuh: User root [426376]: 129 mknod -m 666 random c 1 8 Aug 1 13:33:07 bastion LinuxCommandsWazuh: User root [426376]: 130 chown root:root /var/chroot Aug 1 13:33:10 bastion LinuxCommandsWazuh: User root [426376]: 131 chmod 755 /var/chroot Aug 1 13:33:14 bastion LinuxCommandsWazuh: User root [426376]: 132 mkdir /var/chroot/bin Aug 1 13:33:18 bastion LinuxCommandsWazuh: User root [426376]: 133 v Aug 1 13:33:19 bastion LinuxCommandsWazuh: User root [426376]: 134 cp /bin/bash /var/chroot/bin Aug 1 13:33:26 bastion LinuxCommandsWazuh: User root [426376]: 135 ldd /bin/bash Aug 1 13:33:35 bastion LinuxCommandsWazuh: User root [426376]: 136 mkdir -p /var/chroot/lib/x86_64-linux-gnu /var/chroot/lib64 Aug 1 13:33:48 bastion LinuxCommandsWazuh: User root [426376]: 137 cp /lib/x86_64-linux-gnu/{libtinfo.so.6,libdl.so.2,libc.so.6} /var/chroot/lib/x86_64-linux-gnu Aug 1 13:33:54 bastion LinuxCommandsWazuh: User root [426376]: 138 cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64 Aug 1 13:34:02 bastion LinuxCommandsWazuh: User root [426376]: 139 mkdir /var/chroot/etc Aug 1 13:34:06 bastion LinuxCommandsWazuh: User root [426376]: 140 cp /etc/{passwd,group} /var/chroot/etc Aug 1 13:34:27 bastion LinuxCommandsWazuh: User root [426376]: 141 sudo nano /etc/ssh/sshd_config Aug 1 13:34:34 bastion LinuxCommandsWazuh: User root [426376]: 142 systemctl restart sshd Aug 1 13:34:41 bastion LinuxCommandsWazuh: User root [426376]: 143 mkdir -p /var/chroot/home/ak Aug 1 13:34:57 bastion LinuxCommandsWazuh: User root [426376]: 144 chown ak:ak /var/chroot/home/ak Aug 1 13:35:04 bastion LinuxCommandsWazuh: User root [426376]: 145 chmod 700 /var/chroot/home/ak Aug 1 13:35:18 bastion LinuxCommandsWazuh: User root [426376]: 146 vi t.sh Aug 1 13:35:24 bastion LinuxCommandsWazuh: User root [426376]: 147 chmod +x t.sh Aug 1 13:35:28 bastion LinuxCommandsWazuh: User root [426376]: 148 ./t.sh /bin/{chsh,ls,cat,echo,rm,vi,date,mkdir,whoami,sed,logger} Aug 1 13:39:33 bastion LinuxCommandsWazuh: User root [426376]: 149 cd .. Aug 1 13:39:37 bastion LinuxCommandsWazuh: User root [426376]: 150 cd /home/ak/ Aug 1 13:39:38 bastion LinuxCommandsWazuh: User root [426376]: 151 cp .bashrc /var/chroot/home/ak Aug 1 13:39:45 bastion LinuxCommandsWazuh: User root [426376]: 152 cd /var/chroot/dev/ Aug 1 13:39:46 bastion LinuxCommandsWazuh: User root [426376]: 153 s Aug 1 13:39:47 bastion LinuxCommandsWazuh: User root [426376]: 154 ls Aug 1 13:40:33 bastion LinuxCommandsWazuh: User root [426376]: 155 [ -f ~/.bashrc ] && . ~/.bashrc Aug 1 13:41:06 bastion LinuxCommandsWazuh: User root [426376]: 156 cd .. Aug 1 13:41:07 bastion LinuxCommandsWazuh: User root [426376]: 157 cd home/ Aug 1 13:41:07 bastion LinuxCommandsWazuh: User root [426376]: 158 ls Aug 1 13:41:09 bastion LinuxCommandsWazuh: User root [426376]: 159 cd ak/ Aug 1 13:41:09 bastion LinuxCommandsWazuh: User root [426376]: 160 ls Aug 1 13:41:31 bastion LinuxCommandsWazuh: User root [426376]: 161 sudo vi .bash_profile Aug 1 13:42:57 bastion LinuxCommandsWazuh: User root [426376]: 162 chown ak:ak /var/chroot/home/ak Aug 1 13:43:10 bastion LinuxCommandsWazuh: User root [426376]: 163 cp /etc/{passwd,group} /var/chroot/etc Aug 1 13:43:21 bastion LinuxCommandsWazuh: User root [426376]: 164 chown ak:ak /var/chroot/etc Aug 1 13:44:20 bastion LinuxCommandsWazuh: User root [426376]: 165 sudo chown root:root /var/chroot/etc/passwd Aug 1 13:44:31 bastion LinuxCommandsWazuh: User root [426376]: 166 sudo chown root:root /var/chroot/etc/group Aug 1 13:44:41 bastion LinuxCommandsWazuh: User root [426376]: 167 sudo chmod 644 /var/chroot/etc/passwd Aug 1 13:44:47 bastion LinuxCommandsWazuh: User root [426376]: 168 ldd /bin/bash Aug 1 13:45:01 bastion LinuxCommandsWazuh: User root [426376]: 169 sudo chown ak:ak /var/chroot/home/ak Aug 1 13:45:12 bastion LinuxCommandsWazuh: User root [426376]: 170 sudo chroot /var/chroot/ su - ak Aug 1 13:45:18 bastion LinuxCommandsWazuh: User root [426376]: 170 sudo chroot /var/chroot/ su - ak Aug 1 13:46:25 bastion LinuxCommandsWazuh: User root [426376]: 171 grep /var/chroot/etc/passwd Aug 1 13:46:29 bastion LinuxCommandsWazuh: User root [426376]: 172 grep ak /var/chroot/etc/passwd Aug 1 13:46:35 bastion LinuxCommandsWazuh: User root [426376]: 173 grep ak /var/chroot/etc/group Aug 1 13:47:23 bastion LinuxCommandsWazuh: User root [426376]: 174 sudo chmod 644 /var/chroot/etc/passwd Aug 1 13:47:23 bastion LinuxCommandsWazuh: User root [426376]: 175 sudo chmod 644 /var/chroot/etc/group Aug 1 13:47:27 bastion LinuxCommandsWazuh: User root [426376]: 176 ldd /bin/bash Aug 1 13:47:37 bastion LinuxCommandsWazuh: User root [426376]: 177 sudo mkdir -p /var/chroot/lib/x86_64-linux-gnu Aug 1 13:47:41 bastion LinuxCommandsWazuh: User root [426376]: 178 sudo mkdir -p /var/chroot/lib64 Aug 1 13:47:44 bastion LinuxCommandsWazuh: User root [426376]: 179 sudo cp -v /lib/x86_64-linux-gnu/{libtinfo.so.6,libdl.so.2,libc.so.6} /var/chroot/lib/x86_64-linux-gnu/ Aug 1 13:47:48 bastion LinuxCommandsWazuh: User root [426376]: 180 sudo cp -v /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64/ Aug 1 13:47:52 bastion LinuxCommandsWazuh: User root [426376]: 180 sudo cp -v /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64/ Aug 1 13:48:06 bastion LinuxCommandsWazuh: User root [426376]: 181 sudo cp /bin/bash /var/chroot/bin/ Aug 1 13:48:16 bastion LinuxCommandsWazuh: User root [426376]: 181 sudo cp /bin/bash /var/chroot/bin/ Aug 1 13:48:23 bastion LinuxCommandsWazuh: User root [426376]: 182 sudo mkdir -p /var/chroot/home/ak Aug 1 13:48:26 bastion LinuxCommandsWazuh: User root [426376]: 183 sudo chown ak:ak /var/chroot/home/ak Aug 1 13:48:38 bastion LinuxCommandsWazuh: User root [426376]: 184 sudo chroot /var/chroot /bin/bash Aug 1 13:50:02 bastion LinuxCommandsWazuh: User root [426376]: 185 ls -l /etc/{passwd,shadow} Aug 1 13:50:37 bastion LinuxCommandsWazuh: User root [426376]: 186 chmod 644 /var/chroot/etc/passwd Aug 1 13:51:00 bastion LinuxCommandsWazuh: User root [426376]: 187 ls -l /var/chroot/etc/{passwd,shadow} Aug 1 15:29:08 bastion LinuxCommandsWazuh: User ubuntu [429978]: 36 sudo su Aug 1 15:29:11 bastion LinuxCommandsWazuh: User root [429994]: 187 ls -l /var/chroot/etc/{passwd,shadow} Aug 1 15:29:42 bastion LinuxCommandsWazuh: message repeated 3 times: [ User root [429994]: 187 ls -l /var/chroot/etc/{passwd,shadow}] Aug 1 15:29:56 bastion LinuxCommandsWazuh: User root [429994]: 188 cp /etc/shadow /var/chroot/etc/ Aug 1 15:30:01 bastion LinuxCommandsWazuh: User root [429994]: 189 ls -l /var/chroot/etc/{passwd,shadow} Aug 1 15:30:29 bastion LinuxCommandsWazuh: User root [429994]: 189 ls -l /var/chroot/etc/{passwd,shadow} Aug 1 15:31:35 bastion LinuxCommandsWazuh: User root [429994]: 190 sudo chown 0:shadow /var/chroot/etc/shadow Aug 1 15:31:35 bastion LinuxCommandsWazuh: User root [429994]: 191 sudo chmod 640 /var/chroot/etc/shadow Aug 1 15:31:37 bastion LinuxCommandsWazuh: User root [429994]: 192 ls -l /var/chroot/etc/{passwd,shadow} Aug 1 15:33:06 bastion LinuxCommandsWazuh: User root [429994]: 192 ls -l /var/chroot/etc/{passwd,shadow} Aug 1 15:33:07 bastion LinuxCommandsWazuh: User root [429994]: 193 sudo cp /etc/nsswitch.conf /var/chroot/etc/nsswitch.conf Aug 1 15:33:17 bastion LinuxCommandsWazuh: User root [429994]: 194 sudo mkdir -p /var/chroot/lib/x86_64-linux-gnu Aug 1 15:33:23 bastion LinuxCommandsWazuh: User root [429994]: 195 sudo cp /lib/x86_64-linux-gnu/libnss_files.so.2 /var/chroot/lib/x86_64-linux-gnu/ Aug 1 15:33:30 bastion LinuxCommandsWazuh: User root [429994]: 196 sudo chmod 644 /var/chroot/etc/passwd Aug 1 15:33:30 bastion LinuxCommandsWazuh: User root [429994]: 197 sudo chmod 644 /var/chroot/etc/group Aug 1 15:34:27 bastion LinuxCommandsWazuh: User root [429994]: 197 sudo chmod 644 /var/chroot/etc/group Aug 1 15:34:27 bastion LinuxCommandsWazuh: message repeated 2 times: [ User root [429994]: 197 sudo chmod 644 /var/chroot/etc/group] Aug 1 15:34:45 bastion LinuxCommandsWazuh: User root [429994]: 198 cp /etc/profile /var/chroot/etc/ Aug 1 15:35:06 bastion LinuxCommandsWazuh: User root [429994]: 199 sudo vi /etc/profile Aug 1 15:35:11 bastion LinuxCommandsWazuh: User root [429994]: 200 cp /etc/profile /var/chroot/etc/ Aug 1 15:35:29 bastion LinuxCommandsWazuh: User root [429994]: 201 ls Aug 1 15:36:01 bastion LinuxCommandsWazuh: User root [429994]: 201 ls Aug 1 15:36:07 bastion LinuxCommandsWazuh: User root [429994]: 202 cd /var/chroot/home/ak/ Aug 1 15:36:08 bastion LinuxCommandsWazuh: User root [429994]: 203 ls Aug 1 15:36:09 bastion LinuxCommandsWazuh: User root [429994]: 204 cd .. Aug 1 15:36:12 bastion LinuxCommandsWazuh: User root [429994]: 205 cd /etc/ Aug 1 15:36:12 bastion LinuxCommandsWazuh: User root [429994]: 206 ls Aug 1 15:36:14 bastion LinuxCommandsWazuh: User root [429994]: 207 cd Aug 1 15:36:15 bastion LinuxCommandsWazuh: User root [429994]: 208 ls Aug 1 15:36:19 bastion LinuxCommandsWazuh: User root [429994]: 209 cd /var/chroot/etc/ Aug 1 15:36:19 bastion LinuxCommandsWazuh: User root [429994]: 210 ls Aug 1 15:36:38 bastion LinuxCommandsWazuh: User root [429994]: 211 vi profile Aug 1 15:36:58 bastion LinuxCommandsWazuh: User root [429994]: 212 cd /etc/ Aug 1 15:37:01 bastion LinuxCommandsWazuh: User root [429994]: 213 cd records/ Aug 1 15:37:01 bastion LinuxCommandsWazuh: User root [429994]: 214 ls Aug 1 15:37:07 bastion LinuxCommandsWazuh: User root [429994]: 215 ls -ltr Aug 1 15:37:44 bastion LinuxCommandsWazuh: User root [429994]: 215 ls -ltr Aug 1 15:38:06 bastion LinuxCommandsWazuh: User root [429994]: 215 ls -ltr Aug 1 15:38:07 bastion LinuxCommandsWazuh: User root [429994]: 216 ls Aug 1 15:38:11 bastion LinuxCommandsWazuh: User root [429994]: 217 cd /var/chroot/dev/ Aug 1 15:38:19 bastion LinuxCommandsWazuh: User root [429994]: 218 ./t.sh /bin/{script,chsh,ls,cat,echo,rm,vi,date,mkdir,whoami,sed,logger} Aug 1 15:40:16 bastion LinuxCommandsWazuh: User root [429994]: 219 sudo mknod -m 666 /var/chroot/dev/null c 1 3 Aug 1 15:40:16 bastion LinuxCommandsWazuh: User root [429994]: 220 sudo mknod -m 666 /var/chroot/dev/zero c 1 5 Aug 1 15:40:17 bastion LinuxCommandsWazuh: User root [429994]: 221 sudo mknod -m 666 /var/chroot/dev/random c 1 8 Aug 1 15:40:17 bastion LinuxCommandsWazuh: User root [429994]: 222 sudo mknod -m 666 /var/chroot/dev/urandom c 1 9 Aug 1 15:40:17 bastion LinuxCommandsWazuh: User root [429994]: 223 sudo mknod -m 666 /var/chroot/dev/tty c 5 0 Aug 1 15:40:17 bastion LinuxCommandsWazuh: User root [429994]: 224 sudo mknod -m 666 /var/chroot/dev/ptmx c 5 2 Aug 1 15:40:17 bastion LinuxCommandsWazuh: User root [429994]: 225 sudo mknod -m 666 /var/chroot/dev/tty0 c 4 0 Aug 1 15:40:17 bastion LinuxCommandsWazuh: User root [429994]: 226 sudo mknod -m 666 /var/chroot/dev/tty1 c 4 1 Aug 1 15:40:18 bastion LinuxCommandsWazuh: User root [429994]: 227 sudo mknod -m 666 /var/chroot/dev/ttyS0 c 4 64 Aug 1 15:40:43 bastion LinuxCommandsWazuh: User ubuntu [431200]: 37 sudo su Aug 1 15:40:46 bastion LinuxCommandsWazuh: User root [431213]: 227 sudo mknod -m 666 /var/chroot/dev/ttyS0 c 4 64 Aug 1 15:40:47 bastion LinuxCommandsWazuh: User root [431213]: 228 sudo mount -t devpts none /var/chroot/dev/pts Aug 1 15:40:55 bastion LinuxCommandsWazuh: User root [431213]: 229 cd /var/chroot/dev/ Aug 1 15:40:56 bastion LinuxCommandsWazuh: User root [431213]: 230 ls Aug 1 15:41:46 bastion LinuxCommandsWazuh: User root [431213]: 231 sudo mkdir -p /var/chroot/dev/pts Aug 1 15:41:50 bastion LinuxCommandsWazuh: User root [431213]: 232 sudo mount -t devpts none /var/chroot/dev/pts Aug 1 15:42:00 bastion LinuxCommandsWazuh: User root [431213]: 233 sudo mount --bind /dev /var/chroot/dev Aug 1 15:42:25 bastion LinuxCommandsWazuh: User root [431213]: 234 sudo mkdir -p /var/chroot/home/ak Aug 1 15:42:25 bastion LinuxCommandsWazuh: User root [431213]: 235 sudo chown ak:ak /var/chroot/home/ak Aug 1 15:43:42 bastion LinuxCommandsWazuh: User root [431213]: 236 mount -t devpts devpts /var/chroot/dev/pts Aug 1 15:44:38 bastion LinuxCommandsWazuh: User root [431213]: 237 ./t.sh /bin/{scriptreplay,script,chsh,ls,cat,echo,rm,vi,date,mkdir,whoami,sed,logger} Aug 1 15:56:38 bastion LinuxCommandsWazuh: User ubuntu [431877]: 38 sudo su Aug 1 15:56:39 bastion LinuxCommandsWazuh: User root [431890]: 237 ./t.sh /bin/{scriptreplay,script,chsh,ls,cat,echo,rm,vi,date,mkdir,whoami,sed,logger} Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 238 sudo mkdir -p /var/chroot/dev Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 239 sudo mknod -m 666 /var/chroot/dev/null c 1 3 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 240 sudo mknod -m 666 /var/chroot/dev/zero c 1 5 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 241 sudo mknod -m 666 /var/chroot/dev/random c 1 8 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 242 sudo mknod -m 666 /var/chroot/dev/urandom c 1 9 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 243 sudo mknod -m 666 /var/chroot/dev/tty c 5 0 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 244 sudo mknod -m 666 /var/chroot/dev/ptmx c 5 2 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 245 sudo mknod -m 666 /var/chroot/dev/tty0 c 4 0 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 246 sudo mknod -m 666 /var/chroot/dev/tty1 c 4 1 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 247 sudo mknod -m 666 /var/chroot/dev/ttyS0 c 4 64 Aug 1 15:56:40 bastion LinuxCommandsWazuh: User root [431890]: 247 sudo mknod -m 666 /var/chroot/dev/ttyS0 c 4 64 Aug 1 15:56:41 bastion LinuxCommandsWazuh: User root [431890]: 248 sudo mkdir -p /var/chroot/dev/pts Aug 1 15:56:41 bastion LinuxCommandsWazuh: User root [431890]: 249 sudo mknod -m 666 /var/chroot/dev/console c 5 1 Aug 1 15:56:48 bastion LinuxCommandsWazuh: User root [431890]: 250 sudo ln -sf /proc/self/fd/0 /var/chroot/dev/stdin Aug 1 15:56:48 bastion LinuxCommandsWazuh: User root [431890]: 251 sudo ln -sf /proc/self/fd/1 /var/chroot/dev/stdout Aug 1 15:56:48 bastion LinuxCommandsWazuh: User root [431890]: 252 sudo ln -sf /proc/self/fd/2 /var/chroot/dev/stderr Aug 1 15:57:50 bastion LinuxCommandsWazuh: User root [431890]: 253 sudo ln -sf /proc/self/fd/0 /var/chroot/dev/stdin Aug 1 15:57:50 bastion LinuxCommandsWazuh: User root [431890]: 254 sudo ln -sf /proc/self/fd/1 /var/chroot/dev/stdout Aug 1 15:57:50 bastion LinuxCommandsWazuh: User root [431890]: 255 sudo ln -sf /proc/self/fd/2 /var/chroot/dev/stderr Aug 1 15:58:22 bastion LinuxCommandsWazuh: User root [431890]: 256 sudo ln -sf /proc/self/fd/0 /var/chroot/dev/stdin Aug 1 15:58:22 bastion LinuxCommandsWazuh: User root [431890]: 257 sudo ln -sf /proc/self/fd/1 /var/chroot/dev/stdout Aug 1 15:58:22 bastion LinuxCommandsWazuh: User root [431890]: 258 sudo ln -sf /proc/self/fd/2 /var/chroot/dev/stderr Aug 1 15:58:26 bastion LinuxCommandsWazuh: User root [431890]: 259 sudo mkdir -p /var/chroot/home/ak Aug 1 15:58:26 bastion LinuxCommandsWazuh: User root [431890]: 260 sudo chown ak:ak /var/chroot/home/ak Aug 1 15:59:24 bastion LinuxCommandsWazuh: User root [431890]: 261 ls Aug 1 15:59:31 bastion LinuxCommandsWazuh: User root [431890]: 262 cd /var/chroot/dev/ Aug 1 15:59:32 bastion LinuxCommandsWazuh: User root [431890]: 263 ls Aug 1 16:00:17 bastion LinuxCommandsWazuh: User root [431890]: 264 sudo mount -t devpts devpts /var/chroot/dev/pts Aug 1 16:00:21 bastion LinuxCommandsWazuh: User root [431890]: 264 sudo mount -t devpts devpts /var/chroot/dev/pts Aug 1 16:00:23 bastion LinuxCommandsWazuh: User root [431890]: 265 sudo mount --bind /dev /var/chroot/dev Aug 1 16:00:29 bastion LinuxCommandsWazuh: User root [431890]: 266 sudo mount -t proc proc /var/chroot/proc Aug 1 16:00:43 bastion LinuxCommandsWazuh: User root [431890]: 267 sudo mkdir -p /var/chroot/dev/proc Aug 1 16:00:44 bastion LinuxCommandsWazuh: User root [431890]: 268 sudo mount -t proc proc /var/chroot/proc Aug 1 16:01:25 bastion LinuxCommandsWazuh: User root [431890]: 269 mount -t devpts devpts /var/chroot/dev/pts Aug 1 16:02:28 bastion LinuxCommandsWazuh: User root [431890]: 270 sudo chown ak:ak /var/chroot/dev/stderr