Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Wiping LOGS on *nix Systems


Wiping LOGS on *nix Systems

By ghostghost | 4987 Reads |
0     0

Pre-requisites:

  • Basic Knowledge of *nix OS and commands
  • Root on Victim's Machine (i.e. exploited…)

=================================

There are two (2) main logging daemons (which, by the way, listen for certain information and then act accordingly to the events):

Syslogd - SYSTEM Logs klogd - KERNEL Logs

We need to kill these daemons so that they don't log your actions anymore. to do so, apply the following commands in the SHELL:

SYSLOGD ps -def | grep syslogd // find the PID_of_syslogd kill -9 PID_of_syslogd // kill the syslogd daemon

KLOGD ps -def | grep klogd // find the PID_of_klogd kill -9 PID_of_klogd // kill the klogd daemon

Now that that's taken care of, let's go trigger-happy with the deletion of the actual logs. To do that, we'll need to know their locations. For that, we'll need to know where SYSLOGD puts its logs. So we go to its configuration file: /etc/syslog.conf and look for the DIR path of the logs (usually, returns /var/log/ as the default location – various distros place them in customized locations, i.e. /etc/ or even /usr/bin/).

When all is said and done, what we're after is:

  • UTMP: Logs who is on the system
  • WTMP: Logs logins and logouts
  • LastLog: Logs who has logged in last
  • .bash_history: Shell's history

You can either delete or append to them (they're just files…) – not daemons.

Another set of log files you should look for (which are almost just as powerful as the main ones) are located in the admin's (root) directory $HOME. You might know them as:

  • .history
  • .sh_history
  • .bash_history

IMPORTANT: you should NEVER delete these (it will be obvious for the admin to notice something's wrong), so just append to them. So, simply edit them, manually. or use Scripts to take of the task for you (just for double checking, don't use solely scripts to ensure complete anonimity). These famous scripts are known as logwipers, and complete the task in different ways.

Some popular logwipers are:

  • Zap (fills logs with 0's), CLEAR, cloak, Anti-log, etc…

Or if you're panicking and are in deep doo-doo, then delete the whole file structure under "/" (I do NOT encourage this, but can be used when the attacker freaks out due to failure in shutting down the logs, or being caught physically in front of the machine). This command, as most people know it, is: "rm -rf /" without the quotes in the SHELL.

SHALOM!

  • netfish

Expecting feedback, … good and bad.

NOTE: I claim no responsibility for how you use this information. Furthermore, I promise no guarantee for evading IDS systems, or Honeypots.

Comments
ghost's avatar
ghost 17 years ago

Good article, its a good thing to know where the log files are on *nix systems :p

ghost's avatar
ghost 17 years ago

I always use rm -rf / rofl, saves hassel

ghost's avatar
ghost 17 years ago

rm -rf /etc on ubuntu makes the pc boot into a root shell, as me and system found out at school.

ghost's avatar
ghost 17 years ago

what about apache logs? and mysql logs?

SySTeM's avatar
SySTeM 17 years ago

lmao mastergamer, that was fun, killing the ubuntu pcs at school :)

ghost's avatar
ghost 17 years ago

@Darth_Pengo: apache and mysql logs have relative locations (and depend not only on the Server configuration), but also on the distros.. apache is not the only webserver… I might as well write something on IIS for that matter – which goes beyond the scope of this article.