That's weird. Bash_history doesn't usually get flushed for every command you run; only when you exit an interactive shell. If you `kill -9 $$` or erase the .bash_history file and create it as a directory, it loses the history. The exception is if you create a custom PROMPT_COMMAND="history -a; history -n", which would append on each new bash prompt. (You'd think a hacker would know these things...?)

As an alternative to dumping history, if your system has perl and strace and you want to watch a live ssh or bash session, I wrote a script that will do that. https://github.com/psypete/public-bin/blob/public-bin/src/sy...

That "history -a" bit is extremely common if the environment has shared storage like NFS in use or multiple shells are common. It would not surprise me at all to see it on by default on an account used for debugging / support purposes as a cheap audit measure.

It seems hard to believe someone doing something like this would not at least try to cover their tracks.

  export HISTSIZE=0?

And how do you know these were unmodified versions of netstat, who and ps that you ran?

Do they have mtree in this OS?

I'm no security expert but this little story just sounds very unsophisticated given the seriousness you are attributing to it.