Wiping LOGS on *nix Systems
Wiping LOGS on *nix Systems
ghost | 5221 Reads | Pre-requisites:
- Basic Knowledge of *nix OS and commands
- Root on Victim's Machine (i.e. exploited…)
=================================
There are two (2) main logging daemons (which, by the way, listen for certain information and then act accordingly to the events):
Syslogd - SYSTEM Logs klogd - KERNEL Logs
We need to kill these daemons so that they don't log your actions anymore. to do so, apply the following commands in the SHELL:
SYSLOGD ps -def | grep syslogd // find the PID_of_syslogd kill -9 PID_of_syslogd // kill the syslogd daemon
KLOGD ps -def | grep klogd // find the PID_of_klogd kill -9 PID_of_klogd // kill the klogd daemon
Now that that's taken care of, let's go trigger-happy with the deletion of the actual logs. To do that, we'll need to know their locations. For that, we'll need to know where SYSLOGD puts its logs. So we go to its configuration file: /etc/syslog.conf and look for the DIR path of the logs (usually, returns /var/log/ as the default location – various distros place them in customized locations, i.e. /etc/ or even /usr/bin/).
When all is said and done, what we're after is:
- UTMP: Logs who is on the system
- WTMP: Logs logins and logouts
- LastLog: Logs who has logged in last
- .bash_history: Shell's history
You can either delete or append to them (they're just files…) – not daemons.
Another set of log files you should look for (which are almost just as powerful as the main ones) are located in the admin's (root) directory $HOME. You might know them as:
- .history
- .sh_history
- .bash_history
IMPORTANT: you should NEVER delete these (it will be obvious for the admin to notice something's wrong), so just append to them. So, simply edit them, manually. or use Scripts to take of the task for you (just for double checking, don't use solely scripts to ensure complete anonimity). These famous scripts are known as logwipers, and complete the task in different ways.
Some popular logwipers are:
- Zap (fills logs with 0's), CLEAR, cloak, Anti-log, etc…
Or if you're panicking and are in deep doo-doo, then delete the whole file structure under "/" (I do NOT encourage this, but can be used when the attacker freaks out due to failure in shutting down the logs, or being caught physically in front of the machine). This command, as most people know it, is: "rm -rf /" without the quotes in the SHELL.
SHALOM!
- netfish
Expecting feedback, … good and bad.
NOTE: I claim no responsibility for how you use this information. Furthermore, I promise no guarantee for evading IDS systems, or Honeypots.
ghost 18 years ago
Good article, its a good thing to know where the log files are on *nix systems :p
ghost 18 years ago
rm -rf /etc on ubuntu makes the pc boot into a root shell, as me and system found out at school.
ghost 18 years ago
@Darth_Pengo: apache and mysql logs have relative locations (and depend not only on the Server configuration), but also on the distros.. apache is not the only webserver… I might as well write something on IIS for that matter – which goes beyond the scope of this article.