How to clean footprints in Linux

1. Minimize your logs
P.S. before accessing the target, I will not talk nonsense about using the springboard. If you are a VPN or 3389, you can use ssh for transit and proxy. Remember one thing-it's silly to directly connect to the attack target.
1.1 shell usage Problems
Currently, most shells in linux use bash or other shells to achieve interaction with the server through input/output redirection. When we use ssh or telnet for login, all our commands are recorded under the shell's history file. For example, bash will be in the current directory. in the bash_history file, record your login operation commands. If you use this machine as a stepping stone or scan other machines, your commands will be recorded. Well, the first thing we do to log on is to execute the following command:
Unset history histfile histsave histzone history histlog; export HISTFILE =/dev/null; export HISTSIZE = 0; export HISTFILESIZE = 0
Of course, different shell statements may be different, such as some set environment variables or something. You can modify it based on your own shell. Remember: The shells that bounce back from webshell will record your operations. Fortunately, many shell scripts have unset environment variables in advance.
We also need to remember some information that appears in the logon window during login, such as the IP address at which the user logs in, this will be used later for log clearing and modification.


As a stepping stone, we may need to use local ssh to access other machines, but what about the public key of other machines? Cannot be stored in the current user's directory? Of course, you can delete it after the event, but there is nothing more to do with it. Are you right?
Ssh-o UserKnownHostsFile =/dev/null-T user @ host/bin/bash-I
But when running some commands like this, you may be prompted that your stdin is not terminal. Here we can solve it like this:
Python-c import pty; pty. spawn ("/bin/sh") or create a ttyshell by yourself.
1.2 webshell Selection
Maybe the main goal of your daily life is to aim at webserver. The current web is also a breakthrough for most intrusions. In Linux, the most commonly used apache server is used. When we find a Server Vulnerability, we may need to upload a webshell to collect further operations and information on server files, some webshells also provide the reverse shell function. How to keep the smallest record in the log file of the apache server also requires further research. This usually happens when you do not have sufficient permissions to clear apache logs. If root is enabled, you can focus on clearing the second log. Generally, logs only record GET information, such as your injection, and you submit data in that way. If most of our webshells use the GET Method for interaction, it is easy to leave a lot of logs in the httpd access_log. These will be accepted as evidence in the future. Phpspy is a good choice. The author also paid attention to this and canceled the GET interaction and gave webshell a confusing name. In this way, our communication with webshell is more confidential.
2. Log clearing and rewriting
Log clearing and rewriting, commonly known as "wiping PP", is a very important process. Logs record your operation records on the target machine, and most of the intruders are identified by logs. Therefore, we need to perform operations on log files. If you have such a statement about log operations, it will not be cleared if you can modify it, so that the Administrator's doubts can be minimized. In Linux, most files are stored in text or in a simple structure, which provides a precondition for us to modify the specific content in a log record.
Note that we need to first check the log storage location. Some administrators will modify the log storage location. Generally, we can view/etc/syslog. conf to obtain the location where log files are stored. However, it should be noted that some administrators (and their responsibilities) will re-compile the syslogd file to re-specify the location where logs are stored. What should I do? In this case, you can use strings to view the/sbin/syslogd file. I have only seen this kind of administrator in the book, at least I have never met: P. This configuration file records the directories in which the system stores some logs, such as the secure file. Next we will clean up and modify logs based on this file.
The log clearing program code that can be publicly available on the Internet is rough. I have seen the most exaggerated log clearing code like this:
Rm-rf/var/log/lastlog; rm-rf/var/log/telnetd; rm-rf/var/run/utmp; rm-rf/var/log/secure; rm-rf/root /. ksh_history; rm-rf/root /. bash_history; rm-rf/root /. bash_logut; rm-rf/var/log/wtmp; rm-rf/etc/wtmp; rm-rf/var/run/utmp; rm-rf/etc/utmp; rm-rf/var/log; rm-rf/var/adm; rm-rf/var/apache/log; rm-rf/var/apache/logs; rm-rf/usr/local/apache/log; rm-rf/usr/local/apache/logs; rm-rf/var/log/acct; rm-rf/var/log/xferlog; rm-rf/var/log/messages; rm-rf/var/log/proftpd/xferlog. legacy; rm-rf/var/log/proftpd. access_log; rm-rf/var/log/proftpd. xferlog; rm-rf/var/log/httpd/error_log; rm-rf/var/log/httpd/access_log; rm-rf/etc/httpd/logs/access_log; rm-rf/etc/httpd/logs/error_log; rm-rf/var/log/news/suck. notice; rm-rf/var/spool/tmp; rm-rf/var/spool/errors; rm-rf/var/spool/logs; rm-rf/var/spool/locks; rm-rf/usr/local/www/logs/thttpd_log; rm-rf/var/log/thttpd_log; rm-rf/var/log/ncftpd/misclog.txt; rm-rf/var/log/ncftpd. errs; rm-rf/var/log/auth; rm-rf/root /. bash_history; touch/root /. bash_history; history-r
The entire rm collection, if the server has been running for a long time, has accumulated a lot of logs. If you delete it like this, you can help him save time, and he can easily see that someone has come in.
If you do not want to delete a file by using rm, it is not advisable to delete the file by using shred.
Shred-n 31337-z-u file_to_delete
In this way, multiple erasure operations are safe. Haha
The following is a detailed analysis of log files.
The W command provides the Administrator's ability to view the current Logon account. Therefore, it is very dangerous to work with the Administrator on the same platform. If you do not do this, you will not do it. However, some people once staged the local exp, install tty and the tmanager gets the logon password offline. How can I keep w from showing that you have logged on?
I won't talk nonsense about using rootkit. Here is a tip that even common users cannot log on to the Administrator:
Log on to the target ssh-T on the stepping stoneSomebody@1.1.1.1/Bin/bash-I can be used.
OK
The first concept is timstamp, which is what you see with ls-l. we have to pay attention to this time before modifying a LOG file or leaving a backdoor, many administrators like to use timestamp to find what intruders leave behind. Remember the following command
Touch-r has the file you want to change the time to make it consistent with the timestamp of the two files.
Before you modify the log, you can create a temporary file under/dev/shm, save the timestamp of the log, and then touch it back. The reason for using the/dev/shm directory is described in Section 3. Of course, we can also implement it using a program, but sometimes we will encounter a log type that we have never seen before, so sometimes we need to manually write the log. In addition to time, you also need to pay attention to other attributes of the file, such as the owner or whether there is a sticky bit. Pay attention to these issues.
Linux logs are scattered all over the system, and the system administrator can flexibly specify the location where logs are stored, which requires us to be very careful, it is unwise to use a common log removal or rewriting tool. Therefore, we need to have a comprehensive understanding of the log system to be modified. For more information, see Linux server log management.
A tool is provided here.
Html ">Http://lists.darklab.org/pipermail/darklab/2006-May/000234.html
How to use it. I personally prefer to use a specific purge or modifier for a log, which is more flexible.
We can also use the sed command line tool to clear some logs. Generally, I will modify the web logs as follows:
Touch/dev/shm/timestamp; touch-r access_log/dev/shm/timestamp; sed/192.168.44.1/d access_log>/dev/shm/backlog; cat/dev/shm/backlog> access_log; touch-r/dev/shm/timestamp. /access_log; shred-n 255-z-u/dev/shm/timestamp;
192.168.44.1 is the IP address of my stepping stone.
For specific log modification and erasure tools, you can change them from the next off-the-shelf on the Internet.
In addition, we need to change the logon log in the wtmp file to the IP address and time of the original administrator login, that is, the time and IP address recorded in section 1. If you do not have the root permission, you can also use ssh localhost to hide the logon IP address.
3. Hiding tools and data
3.1 temporary storage of tools and data
When we need to leave some programs on the server, such as the sniff software, or attack other servers as a springboard, we have to face a painful choice: you must be able to leave enough tools to complete the necessary tasks, and rewrite the file system or disk data in a few ways. In this case, if the data to be saved is temporary, we need to establish a file system in the memory. In this way, after the system restarts, the information we reserve on the disk will be erased because it is not actually written to the disk. (Note: Generally, we only use this method to save temporarily used programs, code, and other tools. If you want to save it for a long time, this method is not recommended)
To this end, we need to establish ramfs, which is a file system that exists in the memory. For more information, see related documents. Creating ramfs is simple, but you need to have the root permission. The Code is as follows:
Mount-t ramfs/usr/tmp
In this way, the/usr/tmp directory is mounted as a memory file system. Of course, in the actual process, we may need to find a directory that is hidden and hidden.