Main:
For educational purposes only.
Pre-requisites:
- Basic Knowledge of *nix OS and commands
- Root on Victim's Machine (i.e. exploited...)
=================================
There are two (2) main logging daemons (which, by the way, listen for certain information and then act accordingly to the events):
Syslogd - SYSTEM Logs
klogd - KERNEL Logs
We need to kill these daemons so that they don't log your actions anymore. to do so, apply the following commands in the SHELL:
SYSLOGD
ps -def | grep syslogd // find the PID_of_syslogd
kill -9 PID_of_syslogd // kill the syslogd daemon
KLOGD
ps -def | grep klogd // find the PID_of_klogd
kill -9 PID_of_klogd // kill the klogd daemon
Now that that's taken care of, let's go trigger-happy with the deletion of the actual logs. To do that, we'll need to know their locations. For that, we'll need to know where SYSLOGD puts its logs. So we go to its configuration file: /etc/syslog.conf and look for the DIR path of the logs (usually, returns /var/log/ as the default location -- various distros place them in customized locations, i.e. /etc/ or even /usr/bin/).
When all is said and done, what we're after is:
- UTMP: Logs who is on the system
- WTMP: Logs logins and logouts
- LastLog: Logs who has logged in last
- .bash_history: Shell's history
You can either delete or append to them (they're just files...) -- not daemons.
Another set of log files you should look for (which are almost just as powerful as the main ones) are located in the admin's (root) directory $HOME. You might know them as:
- .history
- .sh_history
- .bash_history
IMPORTANT: you should NEVER delete these (it will be obvious for the admin to notice something's wrong), so just append to them. So, simply edit them, manually. or use scripts to take of the task for you (just for double checking, don't use solely scripts to ensure complete anonimity). These famous scripts are known as logwipers, and complete the task in different ways.
Some popular logwipers are:
- Zap (fills logs with 0's), CLEAR, cloak, Anti-log, etc...
Or if you're panicking and are in deep doo-doo, then delete the whole file structure under "/" (I do NOT encourage this, but can be used when the attacker freaks out due to failure in shutting down the logs, or being caught physically in front of the machine). This command, as most people know it, is: "rm -rf /" without the quotes in the SHELL.
SHALOM!
- netfish
Expecting feedback, ... good and bad.
NOTE: I claim no responsibility for how you use this information. Furthermore, I promise no guarantee for evading IDS systems, or Honeypots.
- Basic Knowledge of *nix OS and commands
- Root on Victim's Machine (i.e. exploited...)
=================================
There are two (2) main logging daemons (which, by the way, listen for certain information and then act accordingly to the events):
Syslogd - SYSTEM Logs
klogd - KERNEL Logs
We need to kill these daemons so that they don't log your actions anymore. to do so, apply the following commands in the SHELL:
SYSLOGD
ps -def | grep syslogd // find the PID_of_syslogd
kill -9 PID_of_syslogd // kill the syslogd daemon
KLOGD
ps -def | grep klogd // find the PID_of_klogd
kill -9 PID_of_klogd // kill the klogd daemon
Now that that's taken care of, let's go trigger-happy with the deletion of the actual logs. To do that, we'll need to know their locations. For that, we'll need to know where SYSLOGD puts its logs. So we go to its configuration file: /etc/syslog.conf and look for the DIR path of the logs (usually, returns /var/log/ as the default location -- various distros place them in customized locations, i.e. /etc/ or even /usr/bin/).
When all is said and done, what we're after is:
- UTMP: Logs who is on the system
- WTMP: Logs logins and logouts
- LastLog: Logs who has logged in last
- .bash_history: Shell's history
You can either delete or append to them (they're just files...) -- not daemons.
Another set of log files you should look for (which are almost just as powerful as the main ones) are located in the admin's (root) directory $HOME. You might know them as:
- .history
- .sh_history
- .bash_history
IMPORTANT: you should NEVER delete these (it will be obvious for the admin to notice something's wrong), so just append to them. So, simply edit them, manually. or use scripts to take of the task for you (just for double checking, don't use solely scripts to ensure complete anonimity). These famous scripts are known as logwipers, and complete the task in different ways.
Some popular logwipers are:
- Zap (fills logs with 0's), CLEAR, cloak, Anti-log, etc...
Or if you're panicking and are in deep doo-doo, then delete the whole file structure under "/" (I do NOT encourage this, but can be used when the attacker freaks out due to failure in shutting down the logs, or being caught physically in front of the machine). This command, as most people know it, is: "rm -rf /" without the quotes in the SHELL.
SHALOM!
- netfish
Expecting feedback, ... good and bad.
NOTE: I claim no responsibility for how you use this information. Furthermore, I promise no guarantee for evading IDS systems, or Honeypots.
Posted by 
