What after root?
Well, i'd delete the logs…..That'd come first.
Well, depends on the site, i'll give the pass to one of my friends if they wanted, or deface it if i truly disliked the site, or i'll just leave it alone. I mostly just leave it alone and send a message to the admin stating the exploit so they can fix it, if they can.
If you legitimately root a server, not just a little piece of web software, then you do whatever the hell you want. I've come across this about three times, and I got a pretty good story out of it.
The server had pretty nice security overwall, excess watchguard applications, but I got in through a hole in SSH. It was a FreeBSD server, clearly not updated, most likely using ports ineffectively. The server was actually a local company that was causing some unrest. Basically, they were a web development/design company that threw mud every which way, and bragged up the ass. They made a couple persaonl attacks and one too many moves at other local companies that were better established.
I doubt very many of you have even tried linux rooting, or have but never got access. I will honestly say that I used an exploit long since previously found, so I'm not claiming to be leet in that regard. It's really a pretty amazing experience. You coffee, and a lot of time. Maybe some rubber undergarments.
Many of you with no experience whatsoever will first, not know to clear logs. Others, like most, will know to clear the logs and will say thats what they would do, but have no clue how.
Now that I was in, I didn't wanna to do much to their site, but I had to touch. More than anything I just changed a few CSS colors and added a snide line at the bottom of the page, so they could know where they crossed the line. I chmod'd every file to only allow read, even from the owner, I promptly then began mucking their DNS up. Bind8 at the time, so I made a few awkward references, looping Subdomains and the main domain nearly 15 times, and changing MX priorities.
I changed the sudo'r file to not allow any sudo, and I updated the passwd application via Ports, followed by a quick password change. It was only AFTER this step of course, that I stoped to ps -ea, seeing the 5 or so watchguard applications flagging my ass. After a little research, I found where every application stored logs, as well as all the original unix applications like syslogd, and a true network monitor. Now, deleting them that instant would be stupid, as would killing the applications. This is why I love perl so much. Perl script changes all the logs back to what they were before I touched it, added a few fake records, then I set a cron to handle that, and the perl script removed itself from cron.
I also removed about 15-20 nice tools, such as wget, and all was good. Damage done, traces gone, fun had. I also know about ISP logs, of course handled previously by my own application to tunnel me through about 20 proxies.
Personally I find it annoying when people message a Sysadmin that theirs a hole, UNLESS The person messaging legitimately found it.
I've found my own holes in PHPNuke, PunBB, and a few custom-made data-driven sites, so I've had admin there. That isn't good for much often, but sometimes it can be fun. I might write out one of the other big rooting experiences I had later. Basically, it involved not having a clue what distrobution I was on, and there was no true root account accessable by humans. Difficult log work around there.
I don't know how to find where logs are, what applications keep them or where to find out, except maybe google. But it doesn't matter for what I had done. In our school, I got root on the server, and messed about a little, not caring if I leaved a trace, because the friday before I had broken into the admins office, on a whim, and found a reciept kind of thing, which for some weird reason was to install a HDD a small 20GB, and this was where the logs would be kept( it was to be installed as a log drive). Ofcourse later that day, I had disconected that Hard drive ;), and left free to hack. This was before I had got to know and like the stupid admin.