This is the question that I inadvertently put forward in the "China Information Security Research Group (CISRG)", 7all gave me the answer. I have time to add it.
Why do I use "hide" instead of "erase" because I feel that the traces of the intrusion can only be hidden indefinitely and not be completely erased. The answer is 7all to me. Once again to express our thanks.
--------------------------------------------------------------------------------------------------------------- ------------------
Reply:
For erasing their own attack traces, the general practice is to erase the log files, hide their uploaded shell program, establish a more covert access to prepare for their own later access.
For the erase log file, you can remove the software from Google Log, of course, the software should all need to do their own actual testing, so that the software to locate the better use.
There are many ways to hide a shell program, or you can use Google to search.
For more advanced hidden attack traces, it depends on how well you know the OS. For example, many intruders use their own backdoor or rootkits to make reserved remote access control. Advanced hidden attack traces, but also need to hide their own attack path, such as: You from the China springboard to the USA, then jump to Germany, then jump to France, and then implement the attack, in the process to determine whether their data is not monitored. If a link is monitored, it is likely that it will be traced back to the other side.
When using the agent, as far as possible to ensure the security of the agent, or the equivalent of jumping into a large honeypot system.
Erase traces, the way to avoid reverse query many, depending on the circumstances. The above content to write some messy, hope to have time of friend add:)
Last modified: 7all (2007-04-01 00:51:21)
--------------------------------------------------------------------------------------------------------------- -----------------
I'll add the next part.