Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 22
Members Online: 1

Registered Members: 82832
Newest Member: SerMSYS
Latest Articles

Wiping LOGS on *nix Systems

Arrow Image For educational purposes only.



Pre-requisites:
- Basic Knowledge of *nix OS and commands
- Root on Victim\'s Machine (i.e. exploited...)

=================================


There are two (2) main logging daemons (which, by the way, listen for certain information and then act accordingly to the events):

Syslogd - SYSTEM Logs
klogd - KERNEL Logs

We need to kill these daemons so that they don\'t log your actions anymore. to do so, apply the following commands in the SHELL:

SYSLOGD
ps -def | grep syslogd // find the PID_of_syslogd
kill -9 PID_of_syslogd // kill the syslogd daemon

KLOGD
ps -def | grep klogd // find the PID_of_klogd
kill -9 PID_of_klogd // kill the klogd daemon

Now that that\'s taken care of, let\'s go trigger-happy with the deletion of the actual logs. To do that, we\'ll need to know their locations. For that, we\'ll need to know where SYSLOGD puts its logs. So we go to its configuration file: /etc/syslog.conf and look for the DIR path of the logs (usually, returns /var/log/ as the default location -- various distros place them in customized locations, i.e. /etc/ or even /usr/bin/).

When all is said and done, what we\'re after is:

- UTMP: Logs who is on the system
- WTMP: Logs logins and logouts
- LastLog: Logs who has logged in last
- .bash_history: Shell\'s history

You can either delete or append to them (they\'re just files...) -- not daemons.

Another set of log files you should look for (which are almost just as powerful as the main ones) are located in the admin\'s (root) directory $HOME. You might know them as:

- .history
- .sh_history
- .bash_history

IMPORTANT: you should NEVER delete these (it will be obvious for the admin to notice something\'s wrong), so just append to them. So, simply edit them, manually. or use Scripts to take of the task for you (just for double checking, don\'t use solely scripts to ensure complete anonimity). These famous scripts are known as logwipers, and complete the task in different ways.

Some popular logwipers are:
- Zap (fills logs with 0\'s), CLEAR, cloak, Anti-log, etc...

Or if you\'re panicking and are in deep doo-doo, then delete the whole file structure under \"/\" (I do NOT encourage this, but can be used when the attacker freaks out due to failure in shutting down the logs, or being caught physically in front of the machine). This command, as most people know it, is: \"rm -rf /\" without the quotes in the SHELL.

SHALOM!
- netfish

Expecting feedback, ... good and bad.

NOTE: I claim no responsibility for how you use this information. Furthermore, I promise no guarantee for evading IDS systems, or Honeypots.

Comments

regiton August 27 2006 - 05:50:16
Good article, its a good thing to know where the log files are on *nix systems Pfft
wolfmankurdon August 27 2006 - 10:42:37
I always use rm -rf / rofl, saves hassel
mastergameron August 27 2006 - 13:07:46
rm -rf /etc on ubuntu makes the pc boot into a root shell, as me and system found out at school.
Darth_Pengoon August 27 2006 - 13:30:28
what about apache logs? and mysql logs?
system_meltdownon August 27 2006 - 16:25:20
lmao mastergamer, that was fun, killing the ubuntu pcs at school Smile
netfishon August 27 2006 - 17:08:31
@Darth_Pengo: apache and mysql logs have relative locations (and depend not only on the Server configuration), but also on the distros.. apache is not the only webserver... I might as well write something on IIS for that matter -- which goes beyond the scope of this article.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.