Cover Your Tracks After Hacking A UNIX Box

In the Monitoring User Login post, the commands and files that are related in tracking user activities are discussed.

Here are some ways of covering your fingerprints on a server using the files that monitors user logins.

We want to erase any trace that will show that we were inside the box. In doing so we’ll just:

cat /dev/null > <file>

Lastlog file

Clear out the last log file if you’re using an existing user from the box. Lastlogin file shows when and where a particular user last login from.

login: razile
Password:

Last login: Fri Oct 21 21:50:02 2007 from 210.2.9.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %

Erase that if you don’t want the admin see where you last login from (IP, hostname, time etc)

cat /dev/null > /var/adm/lastlogin

After clearing the lastlog file, comparing the first login and the second one:

(first login)

Last login: Thu Nov  1 21:33:41 2007 from 210.23.109.1
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
user@server->

(after deletion)

 Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
bash: unalias: `e’: not an alias
user@server->

wtmpx/tmpx files

If you want to check those users who logged in to a Unix box, type in ‘last’

UnixBox# last | more
root        pts/21       101.221.224.61    Sat Nov  3 11:38   still logged in
sitescp   pts/20       19.168.128.132  Sat Nov  3 07:00   still logged in
root        pts/23       101.221.224.51    Sat Nov  3 05:05   still logged in
root        pts/22       101.221.224.51    Sat Nov  3 05:05   still logged in
paladel    pts/22       14.122.4.99     Fri Nov  2 14:33 – 15:32  (00:59)
boy1        pts/26       14.122.4.67     Fri Nov  2 13:22 – 14:50  (01:28)
boy2        pts/26       14.122.4.67     Fri Nov  2 13:20 – 13:22  (00:02)

You’ll see the user who was logged in, the terminal used, the IP where he came from the date or duration of his activity in the server.

That is a lot of information, so in covering up your track, delete or zero out the files that stores these information

cat /dev/null > /var/adm/wtmpx
cat /dev/null > /var/adm/tmpx

After doing so, you’ll get this when doing ‘last’

# cat /dev/null > /var/adm/wtmpx
# last | more

wtmp begins Sun Nov  4 00:41
#

You could also zero out the /var/adm/messages if you’re really paranoid.

Of course doing these is like shouting and telling the whole universe that you were there.

These are just a few to cover you track… Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?

3 thoughts on “Cover Your Tracks After Hacking A UNIX Box”

  1. you write:

    “You could also zero out the /var/adm/messages if you’re really paranoid.

    Of course doing these is like shouting and telling the whole universe that you were there.”

    but also erasing the files is like “shouting and telling the whole universe that you were there”, no?

  2. Are you retarted or what? Do not DELETE the log files. This will show that you are a clueless script kiddie.

    I can’t believe you wrote this. You must be very new at this game. You must be longing for that pubic hair to grow.

  3. the user is not trying to hide himself hence the logs are deleted.. he’s trying to get rid of clues that the internet police with follow, tracing back to his terminal

Leave a Reply

Your email address will not be published. Required fields are marked *