Sha Bang Covert Action

Dec. 29, 2011

Let’s think about logging. A smart hacker will always go for covert mode of action, this require the knowledge of how the logging is happening in the target system, get the privilege to access those files, and clean the entries. Now considering the first step, linux system stores all sort of logs in a default location /var/log/. This location contains multiple log files depends of the application running on the system. For testing purpose, let’s take a default log file in linux syslog.

root@bt# cat /dev/null > /var/log/syslog

The above statement is simple to understand. /dev/null is an empty file and it is writing to the syslog file. Now let’s create a shell script to do the same.

#!/bin/bash # You should be root to run this script cat /dev/null > /var/log/syslog echo "syslog cleaning completed." exit

This is a very simple script, let’s make it more interesting.

#!/bin/bash

LOG_DIR=/var/log # static variables are better than hard-coded values
ROOT_UID=0       # Only users with $UID 0 have root privileges.
LINES=50         # Default number of lines saved.
E_XCD=86         # Can't change directory?
E_NOTROOT=87     # Non-root exit error.

# Run as root, of course.
if [ "$UID" -ne "$ROOT_UID" ]
# $UID is fetching from linux environment variable</a>
then
  echo "Must be root to run this script."
  exit $E_NOTROOT
fi  

if [ -n "$1" ] # Test whether command-line argument is non-empty
then
  lines=$1
else
  lines=$LINES # Default, if not specified on command-line.
fi  

#* Another smarty way of doing the same above
#  E_WRONGARGS=85  # Non-numerical argument (bad argument format).
#  case "$1" in
#  ""      ) lines=50;;
#  *[!0-9]*) echo "Usage:`basename $0` file-to-cleanup";
#  exit $E_WRONGARGS;;
#  *       ) lines=$1;;
#  esac
#
#* hope you understand this.

cd $LOG_DIR

if [ `pwd` != "$LOG_DIR" ]  # or   if [ "$PWD" != "$LOG_DIR" ]
                            # Not in /var/log?
then
  echo "Can't change to $LOG_DIR."
  exit $E_XCD
fi  # Doublecheck if in right directory before messing with log file.

# Far more efficient is:
#
# cd /var/log || {
#   echo "Cannot change to necessary directory." >&2
#   exit $E_XCD;
# }

tail -n $lines syslog > syslog.temp # Save last section of syslog.
mv syslog.temp syslog               # Becomes new syslog directory.

#  cat /dev/null > syslog
#* No longer needed, as the above method is safer.

exit 0
Twitter @s4n7h0 | Instagram @s4n7h0frames | GitHub @s4n7h0 | Keybase @s4n7h0 |