Sha Bang Covert Action

Let’s think about logging. A smart hacker will always go for covert mode of action, this require the knowledge of how the logging is happening in the target system, get the privilege to access those files, and clean the entries. Now considering the first step, linux system stores all sort of logs in a default location /var/log/. This location contains multiple log files depends of the application running on the system. For testing purpose, let’s take a default log file in linux syslog.

root@bt# cat /dev/null > /var/log/syslog

The above statement is simple to understand. /dev/null is an empty file and it is writing to the syslog file. Now let’s create a shell script to do the same.

{% highlight bash %} #!/bin/bash # You should be root to run this script cat /dev/null > /var/log/syslog echo “syslog cleaning completed.” exit {% endhighlight %}

This is a very simple script, let’s make it more interesting.

{% highlight bash %} #!/bin/bash

LOG_DIR=/var/log # static variables are better than hard-coded values ROOT_UID=0 # Only users with $UID 0 have root privileges. LINES=50 # Default number of lines saved. E_XCD=86 # Can’t change directory? E_NOTROOT=87 # Non-root exit error.

Run as root, of course.

if [ “$UID” -ne “$ROOT_UID” ]

$UID is fetching from linux environment variable

then echo “Must be root to run this script.” exit $E_NOTROOT fi

if [ -n “$1” ] # Test whether command-line argument is non-empty then lines=$1 else lines=$LINES # Default, if not specified on command-line. fi

#* Another smarty way of doing the same above

E_WRONGARGS=85 # Non-numerical argument (bad argument format).

case “$1” in

”” ) lines=50;;

[!0-9]) echo “Usage:basename $0 file-to-cleanup”;

exit $E_WRONGARGS;;

* ) lines=$1;;

esac

# #* hope you understand this.

cd $LOG_DIR

if [ pwd != “$LOG_DIR” ] # or if [ “$PWD” != “$LOG_DIR” ] # Not in /var/log? then echo “Can’t change to $LOG_DIR.” exit $E_XCD fi # Doublecheck if in right directory before messing with log file.

Far more efficient is:

#

cd /var/log || {

echo “Cannot change to necessary directory.” >&2

exit $E_XCD;

}

tail -n $lines syslog > syslog.temp # Save last section of syslog. mv syslog.temp syslog # Becomes new syslog directory.

cat /dev/null > syslog

#* No longer needed, as the above method is safer.

exit 0 {% endhighlight %}