Linux system LOG files and LOG cleanup after intrusion

UNIX network administrators primarily rely on system logs to obtain traces of intrusions. Of course, there are also traces of third-party tools recording intrusions into the system. UNIX systems store LOG files in the following common locations:
/Usr/adm-earlier versions of UNIX
/Var/adm-use this location for a new version
/Var/log-use this location for some versions of Solaris, linux BSD, and Free BSD.
/Etc-put utmp here in most UNIX versions, some also put wtmp here, and syslog. conf here
The following files vary depending on your directory:
Acct or pacct-records the Command records used by each user
Access_log -- records the websites connected to your server when the server runs ncsa httpd.
Aculog-stores the MODEMS records you dial out.
Lastlog-records the most recent LOGIN records of the user and the initial destination of each user.
A successful LOGIN record. When a user logs on to the unix system, the registration program searches for the user's uid in the lastlog file. If the program finds
This user's uid, unix will display the Last login time and tty (terminal number)
Loginlog-records abnormal LOGIN records
Messages -- records the records output to the system console. Other information is generated by syslog.
Security -- Record some examples of attempts to access the restricted scope using the UCP System
Sulog -- Record the records using the su command. It is usually in/var/adm/sulog. If you use the su command on the machine, do not forget to clear it.
Utmp-records all users currently logged on to the system. This file is constantly changing as the user enters and leaves the system. it also maintains a very long history for users in the system. utmp logs are usually stored in the/var/adm/utmp directory. you can use the w and who commands to view the file. Other commands can also access the file. for example, finger root can. currently, utmp generally uses utmpx files as a supplement to log records.
Utmpx -- UTMP Extension
Wtmp -- record user logon and exit events. he is similar to the utmp log file, but as he logs in more times, he will become larger and larger, and some system ftp access is also recorded in this file, it also records the normal system exit time and can be accessed using the ac and last commands.
Syslog: The most important log file. You can use the syslogd daemon to obtain log information. Generally, you can view/etc/syslog. conf. we can know what syslog records. lack of time-saving, he transfers most of the messages to/var/adm/message.
/Dev/log -- a UNIX domain socket that receives messages from processes running on a local machine.
/Dev/klog-A device that receives messages from the UNIX Kernel
Port 514-an INTERNET socket that receives syslog messages from other machines over UDP.
Uucp-the recorded UUCP information, which can be updated by the local UCP activity or initiated by a remote site
Action modification. Information includes calling and receiving, sending requests, senders, and sending
Sending time and sending host
Lpd-errs-logs used to process Printer fault information
Ftp log -- execute ftpd with the-l option to obtain the record Function
Httpd log-the HTTPD server records each WEB access record in the log
History Log-this file stores records of the user's recent commands
Vold. log-records errors encountered when using external media
======================================
Other types of log files-
======================================
Some types of LOG files do not have specific titles, but start with a specific flag. You can find
Is a LOG file, you can edit it:
Xfer -- indicates an attempt to transfer a prohibited file.
Rexe -- indicates attempting to execute an unsupported command
There are many other types of LOG files, mainly caused by third-party software, or even fucking network management.
You have set an "eye" on your system, so you need to have an eye for what you think may be a LOG file.
Many administrators like to put LOG files in the same directory for management, so you need to check the location of the LOG files you have found
If there are other log files in the directory, you know how to do it.
Another thing you should note is the file related to the LOG user MAIL. This file name can be varied, or sometimes
Part of the syslog file. You need to know the information recorded by syslog. You can view the information in syslog. conf. This article
The Directory of the file is in/etc.
Generally, the syslog. conf file is used to view the log settings, for example, cat/etc/syslog. conf.
The link of the sunos operating system under/var/log and/var/adm is/usr/adm/var/adm.
Under/var/log and/var/run of redhat
The following is a log sample in sun os5.7. in addition, various shells also record the history of commands used by users. They use files in the user's main directory to record the history of these commands. Generally, the file name is. sh_history (ksh ),. history (csh), or. bash_history (bash.
# Ls/var/adm
Acct log messages.1 passwd sulog vold. log
Aculog messages messages.2 sa utmp wtmp
Lastlog messages.0 messages.3 spellhist utmpx wtmpx
# Ls/var/log
Authlog syslog syslog.1 syslog.3
Sysidconfig. log syslog.0 syslog.2 syslog.4

The following is a log sample in redhat9.0.
# Ls/var/log
Boot. log dmesg messages.2 secure uucp
Boot. log.1 htmlaccess. log messages.3 secure.1 wtmp
Boot. log.2 httpd messages.4 secure.2 wtmp.1
Boot. log.3 lastlog netconf. log secure.3 xferlog
Boot. log.4 mailllog netconf. log.1 secure.4 xferlog.1
Cron maillog netconf. log.2 sendmail. st xferlog.2
Cron.1 maillog.1 netconf. log.3 spooler xferlog.3
Cron.2 maillog.2 netconf. log.4 spooler.1 xferlog.4
Cron.3 maillog.3 news spooler.2
Cron.4 maillog.4 normal. log spooler.3
Daily. log messages realtime. log spooler.4
Daily. sh messages.1 samba transfer. log

# Ls/var/run
Atd. pid gpm. pid klogd. pid random-seed treemenu. cache
Crond. pid identd. pid netreport runlevel. dir utmp
Ftp. pids-all inetd. pid news syslogd. pid
Generally, the logs we want to clear include
Lastlog
Utmp (utmpx)
Wtmp (wtmpx)
Messages
Syslog
Sulog
Generally, you can erase the above logs .:)
Next I will talk about the relevant information and clearing methods of the above logs. For more detailed information and other logs, please view the relevant information.
I have made a simple statement on the log function above. What are the logs recorded in these log files? Follow me
The following is an example:
Sunoperating 5.7
Login: gao
Password:
No directory! Logging in with home =/
Last login: Sun Feb 4 22:18:25 from 219.31.36.7
Sun Microsystems Inc. SunOS 5.7 Generic October 1998 $
Then register the program to update the lastlog file with the new Logon Time and TTY information, and the program will update the utmp wtmp. File.
Shell record:

. Sh_history (ksh ),. history (csh), or. bash_history (bash) is the history of shell execution. record the commands executed by the user. it usually exists in the user's home directory. don't forget to go to the root directory.

1. logs are all text files. the most stupid method is to use a text editor to edit log files and delete related records to wipe footprints and hide their own results.
For example, using vi
However, this is very stupid. It is too troublesome and the workload is too large.

2. Use rm-f to delete logs. For example, rm-f/usr/adm/lastlog
This is very stupid.
It is easier for administrators to detect intrusions. However, they are relatively well protected .:)
It can be used on less important machines.
3. Clear with>.
For example:
Cat>/usr/log/lastlog

-> Enter what you want to write here. It is best to pretend to be something, and you can also leave it blank .:)
^ D-> here ^ d is to press ctrl + d.
#.

4. Of course, the best is to use the log clearing tool.
Enter a few commands for the program to help you clean :)
A. Common log clearing tools.
The following describes a Better log cleaner .:)

Http://packetstormsecurity.nl/UN... ipers/wipe-1.00.tgz
All-Around cleanup
Lastlog
Utmp
Utmpx
Wtmp
Wtmpx

Next let's take a look. (sunos 5.7, a demo platform)
# Gzip-d wipe-1.00.tgz
# Tar-xf wipe-1.00.tar