Page 1 of 1

Bash history mysteriously wiped?

Posted: Fri Mar 02, 2018 7:39 pm
by megosdog
Okay, I've got an honestly weird one that has never happened to me, and I just noticed that it happened. Anyhow, I'm one who never wipes his bash history. There's too many useful commands in there to do that. Anyhow, apparently several days ago my entire bash history got zeroed out. It appears to have been zeroed out sometime between my backups in the 24th of February and the 25th. The thing is, I didn't do it. So my only two thoughts are, someone somehow got into my system and did something, then wiped bash history to cover their tracks, or a recent update that pushed around the 24th or 25th did that. Since I see nothing else on my computer to make me think that I got hacked, so I'm wondering what could have deleted my bash history and why? I only ask because it seems so out of character for an update or something else to just completely purge the file like that unless it was someone covering their tracks. Anyone got any ideas?

Re: Bash histery mysteriously whipped?

Posted: Fri Mar 02, 2018 8:17 pm
by MrEen
I'm venturing into unfamiliar territory here, so I may be way off base, but:

Did you possibly play around a bit with your .bashrc file back then? Open the file with xed ~/.bashrc (replace xed with your text editor.) Find the lines that should look like this:
# append to the history file, don't overwrite it
shopt -s histappend

If that second line is commented out, that might explain what happened.

Re: Bash histery mysteriously whipped?

Posted: Sat Mar 03, 2018 12:37 am
by all41
Is it possible you have created or logged in as a different user?

Re: Bash histery mysteriously whipped?

Posted: Sat Mar 03, 2018 1:13 am
by megosdog
MrEen: Haven't touched that since way back in August when I did my latest system install. My current bashrc looks like this:

Code: Select all

alias du='du --max-depth=1'
alias locate='locate -i'
PS1="\[\033[1;31m\]\u@Desktop: \w\$\[\033[00m\] "
It'd been compiling bash_history entries right up until the 25th when it was wiped to zero. It's totally weird. I never touched the file at all. That's what's so baffling.

all41: Nope, same user as always. It's like everything in the file just went away and I don't know why. The only change I can think of around that time was that I was doing regular updates via the update manager.

Re: Bash histery mysteriously whipped?

Posted: Sat Mar 03, 2018 1:34 am
by all41
just a thought
does ~/.bash_history/Properties/Permissions show you as owner and group with read/write priveleges?

Re: Bash histery mysteriously whipped?

Posted: Sat Mar 03, 2018 9:56 am
by Mute Ant
"Bash histery mysteriously whipped?" Really? I shall set Special Agent Nomko to work on it...

Re: Bash history mysteriously wiped?

Posted: Sat Mar 03, 2018 1:56 pm
by phd21
Hi megosdog,

I just read your post and the good replies to it. Here are my thoughts on this as well.

Did you run any cleaning or space cleaning utilities, is your drive almost out of space, etc...?

FYI: Came across this great article on using bash history.

How To Use History Command Effectively In Linux | ... in-linux/#

You might be able to restore the bash history from a backup ...

Re: Bash histery mysteriously whipped?

Posted: Sat Mar 03, 2018 11:31 pm
by lmuserx4849
declare -p ${!HI@} PROMPT_COMMAND;shopt -p | grep hist

Take a look at the output from the above command.
You should see, output like:

export PROMPT_COMMAND='history -a;history -r'
shopt -s histappend

Beside something external, those are the options that would impact history. If you are using multiple terminals/tabs, double check $PROMPT_COMMAND.

Re: Bash history mysteriously wiped?

Posted: Sun Mar 04, 2018 12:39 am
by Arch_Enemy
Recent Documents...
Clear Recent Documents...

Also clears your BASH history...

Re: Bash history mysteriously wiped?

Posted: Sun Mar 04, 2018 11:47 am
by megosdog
all41, I'm owner and group has zero perms.

phd21, nope. no cleaner scripts and its got tons of space. As for restoring it from backup, that I have. I run a daily snapshot backup to my secondary drive. It's just that I've never had bash history wiped before. So I'm just trying to figure out if it was caused by something the system did, or if I need to look deeper. IE, like a hack or something. So far it's looking a lot like something the system did, but I'm not able to nail down just what. Honestly I'm more worried about someone having gotten in and then wiped the history file to cover their tracks. That was my biggest concern. However, so far that doesn't seem to be the case, so I'm just covering all avenues to be completely sure of that. :)

lmuserx4849, here's what I got from your command:
declare -i HISTCMD="32"
declare -- HISTFILE="/home/raiden/.bash_history"
declare -- HISTFILESIZE="500"
declare -- HISTSIZE="500"
bash: declare: PROMPT_COMMAND: not found
shopt -s cmdhist
shopt -u histappend
shopt -u histreedit
shopt -u histverify
shopt -u lithist

Thanks everyone for helping me track this down, and thanks to whoever fixed my post title too! lol

Re: Bash history mysteriously wiped?

Posted: Sun Mar 04, 2018 12:35 pm
by zimou13
The maximum number of lines contained in the history file. When this variable is assigned a value, the history file is truncated, if necesā€ sary, by removing the oldest entries, to contain no more than that number of lines. The default value is 500. The history file is also truncated to this size after writing it when an interactive shell exits.

Re: Bash history mysteriously wiped?

Posted: Sun Mar 04, 2018 3:43 pm
by lmuserx4849
Interesting. That doesn't look like the one installed by Linux Mint. When a new user is created /etc/skel/.bashrc is copied to that user's $HOME directory, so you can view that file to see the original content.

At a minimum, try:
HISTSIZE=1000 # in memory
HISTFILESIZE=2000 # on disk
shopt -s histappend

Consider bumping up HISTFILESIZE and HISTSIZE a lot. Setting them to a negative number makes them unlimited.

Reference: Bash Online Doc or command man bash.

Re: Bash history mysteriously wiped?

Posted: Thu Mar 08, 2018 12:15 am
by megosdog
Hmm, I've looked everywhere for why this happened, and I can't find anything. So I think at this point, to prevent this in the future, I need to implement "Bash eternal history" on my machine. We use it at work and it's priceless. So I think I'm going to start using it here. That way if this happens again I'll be able to go back and find out why....hopefully. If not, then I'll still be able to recover my bash history. ^_^