PDA

View Full Version : Project: Linux Log Eraser v0.2



b0nd
06-06-2011, 04:14 PM
Hi Friends,

Here I am presenting v0.2 for the same.

The Default Page with Garage logo:
http://img1.imagehousing.com/97/60c8c478cc5f26e5403cce6c6a01c7ef.png

The Help Page:
http://img1.imagehousing.com/25/f36f71100b23d8e0e2e0e2b04ca3587e.png

Features in ver 0.2:

1. Script has been redesigned from scratch. It's more customizable now. Pay attention to the global variables declared and initialized at the top of code.
2. Non-interactive script: The interactive features might be painful on a remote connect or reverse shell.
3. Included features to Erase user activity logs from logs files (wtmp, utmp, lastlog etc)
4. Fetch the IP, spoof_ip, and user name to it. The script will take care to remove all entries of them from "editable" ascii files and would spoof all of them in binary files.
5. Fixed the error in deleting the log entries for the web back door shell from web logs.
6. Restore the time stamping for all the log files which have been accessed and edited.
7. Get some basic system info
8. Verify-IP: To inform user if by mistake he has entered invalid IP (It includes 3 different checks on user input)

This time, script being non-interactive, please play safe.

The script is ready to go and can be used in your ventures!

Couple more things are running in back of my mind for the same concept. I will try to incorporate them soon in the existing code.

Hackuin, please have a closer look this time. I haven't included your suggestions yet, but would definitely.

PS: Delete the trailing .txt extension.

s1ayer
06-06-2011, 05:40 PM
:)
Great Work........ bro...................

41.w4r10r
06-06-2011, 07:42 PM
And here we go....

Hackuin
06-08-2011, 08:48 PM
Haha. I know its been over looked.
Help options contains wrong usage information. I mean the function "help_banner ()" contains"


Usage
=====
./linux_log_eraser.sh options

Where-as, "linux_log_eraser.sh" is wrong filename. So, is it recommended to use " `basename 0` " or "$0" accordingly, or just replace "linux_log_eraser.sh with "Wipe_Linux_Logs-v0.2.sh" ;)
I would still recommend you to implement, it little user interactive, which obviously reduces plenty of code like, instead of user to manipulate the script itself for adding more log files, why not using STDIN the absolute path of the logfiles or just read file name checking for file exists on log locations, something like, "locate $1"

Other thing is "positional parameter checking", if pass " ./Wipe_Linux_Logs-v0.2.sh 123 " it still go mess with logfiles, try to restrict the script to use only those parameters mentioned in the script. everything else should be forced to exit().

Applying with correct parameter/option with the file specified by the user, we can completely takeoff the overhead/process of some function like, "fuck_log_files()". etc. even-more, there are some circumstances where we don't need mess around with whole log structure, instead we just need to erase a particular file, so, it would be better to implement a logic, to just erase a particular file, where we just don't need overhead.

Also, as I told earlier, plenty of stuff requires root permissions, so just force the user to be root instead of over-heading of who the user is logged in etc.,

-Hackuin

b0nd
06-13-2011, 08:57 AM
Thanks for pointing out the errors Hackuin

1. The $0 has been fixed for filename. I really overlooked that!
2. "./Wipe_Linux_Logs-v0.2.sh 123" has also been fixed. 4 checks were already there but missed the 5th one and you caught that :)



Applying with correct parameter/option with the file specified by the user, we can completely takeoff the overhead/process of some function like, "fuck_log_files()". etc. even-more, there are some circumstances where we don't need mess around with whole log structure, instead we just need to erase a particular file, so, it would be better to implement a logic, to just erase a particular file, where we just don't need overhead.
Could you please be more specific here with some practical example?



I would still recommend you to implement, it little user interactive, which obviously reduces plenty of code like, instead of user to manipulate the script itself for adding more log files, why not using STDIN the absolute path of the logfiles or just read file name checking for file exists on log locations, something like, "locate $1" I would refrain from doing that. Two arrays have been declared; user with 1 ounce of brain shall be able to comment/uncomment or add in new log file. User would just need to customize it once per the scenario.



Also, as I told earlier, plenty of stuff requires root permissions, so just force the user to be root instead of over-heading of who the user is logged in etc.,

How?

Rgds

Anant Shrivastava
06-13-2011, 09:53 AM
hey b0nd,
not sure if its technically feasible or not.

why not put the original timestamps back on the file after we are done messing it up.

I have seen people suggesting to check the date of file mod to have an approx idea of tampering...

so i am suggesting if its possible not sure how to revert back the dates timestamp on files after we are done messing with it.

b0nd
06-13-2011, 10:22 AM
hey b0nd,
not sure if its technically feasible or not.

why not put the original timestamps back on the file after we are done messing it up.

I have seen people suggesting to check the date of file mod to have an approx idea of tampering...

so i am suggesting if its possible not sure how to revert back the dates timestamp on files after we are done messing with it.

Yes, that is the crux of this code and have already implemented since v0.1 of it.

The following functions have this coding:
1. check_time_stamping ()
2. edit_ascii_file_and_timestamping ()
3. edit_binary_file_and_timestamping ()

Anant Shrivastava
06-13-2011, 10:53 AM
Yes, that is the crux of this code and have already implemented since v0.1 of it.

The following functions have this coding:
1. check_time_stamping ()
2. edit_ascii_file_and_timestamping ()
3. edit_binary_file_and_timestamping ()

looks like i missed it ....

I am getting old ....

b0nd
06-13-2011, 11:14 AM
looks like i missed it ....

I am getting old ....

With two consecutive "misses" ... I could say "YES", you need some rest ;)

[s]
06-14-2011, 06:56 PM
Awesome Project ... Awesome logo .. Awesome Description :) Ultimate ...

Hackuin
06-16-2011, 04:48 PM
I would refrain from doing that. Two arrays have been declared; user with 1 ounce of brain shall be able to comment/uncomment or add in new log file. User would just need to customize it once per the scenario.

Actually, people running *nix, have little sense of manipulating scripts no doubt about that. I was pointing at standards, we all know, we shall keep the script as simple as possible for end-user. We should not consider the end-user either a idiot/dumb at IT nor should be consider them being a professional at IT.
If the 1 ounce user have a brain, then why did you made verify_ip() those all checks? doesn't this 1 ounce user know how to type IP Address? or You could have just echoed, something like, echo -e "IP example: 192.168.1.12" , Main intension of making scripts is to make things simple and/or at end-usage. :] I hope you got my point. But, agree or little biased towards your refrain with the dumb-tards, who have no-idea and try to experiment thing in there offices, lolz, that will surely bring him/her to ironic situations.
Even more, if you have intension's of user to manipulate the script, as do our script has a large number of functions. Just create library and source in the script. So, even the user manipulates the script, it doesn't effect any of the function we use. Just an idea, not useful though, but if the actual script meant to be edited/manipulated, this is quite safer method.



Could you please be more specific here with some practical example?

What actually I meant by that is: what does our fuck_logs_files() does?
It determines all the log-files and erase them, that is what I told, of about STDIN, consider, I have no problem with other files, except one particular file, say wtmp and I just want to erase this particular file, and don't want to erase anyof the other log files. Our function doesn't do it, it just finds ALL the log files on system and erases them. Yep, we can only specify "wtmp" file in our array, and it does, but, it becomes one feature at one time scenario. That the reason I told to get a user input file and do thing according to the desire function of the user. Like in my case, I just wanted to erase "wtmp" file, I run our shell script, I pass "wtmp", it locates and erases it. Simple.
So is the reason, I was objecting to restrict user to manipulate the script itself. :]



#!/bin/bash

#: Just an example to erase the particular user defined file

user_specified_erases()
{
CH_DIR=/var/log
read FILE

#: As we know all the log-files are lowercase file, if the user specified a uppercase file
#:+ name, or mixed character locate fails.
#: function to read the input of end-user and convert it to lower-case.

FILE=`echo ${FILE,,}`

#: However, we know the log files are located in /var/logs/
#: We cange to log directory
cd $CH_DIR 2>/dev/null #: If any error while changing directory.

if [ "$PWD" != "$CH_DIR" ]
then
echo "Cannot change directory!!";
exit 1
fi

#: Check weather the file exists?

file $FILE >/dev/null

if [ "$?" != 0 ]
then
echo "File does not exist";
exit 1
else
:>$FILE
fi
}

#: function calling, and 0bviously can make more user-friendly messages.
user_specified_erases


So either place the function in the library or use it and place another parameter/option like "-E" which leads to, if a user specified a -E option it prompts user to supply a file name which he/she wants to erase. :]



How?

Ether with


#!/bin/bash
#: Description: Forcing user to be a root or Displaying the message to end-users to become root.

__rootUid=0 #: As we know the user ID of root is 0

if [ "$UID" -ne "$__rootUid" ] #: Please use desired STDOUT message for end-user.
then
printf "%s\n" "Cannot run script: Permission denied." "Please be root to use this script".
exit 1
fi

or



#!/bin/bash
#: Description: Forcing user to be a root or Displaying the message to end-users to become root.
if [ "$(whoami)" != "root" ] ; then
printf "%s\n" "Cannot run script: Permission denied." "Please be root to use this script". >&2
exit 1
fi

-Hackuin.

b0nd
06-19-2011, 08:22 AM
Hey Hackuin,
Thanks for taking out your time for analyzing the script and for the good feedbacks.

As per you suggestions:
1. A separate file has been sourced containing the arrays of log files. So whenever any editing is needed, the main source files and it's functions are safe.

2. Restricted the checks to verify "root" privileges, only UID and EUID would be verified:

if [ "$UID" != "0" ]
then
if [ "$EUID" != "0" ]
then
echo -e "\n Cannot run script: Permission denied." "Please be root to use this script".
call_exit
fi
fi

Apart from those amendments, a new feature has been added which would help the user to execute the script with less pain (the manual efforts)

Running with that parameter, user would be presented with following two information's:
1. The various log files (/var/log/*) in which his IP has been found. So from the result, if he sees any log file which is not in the list of default log files in script, he can add the new one into the list before editing the files.
2. Search all log files (/var/log/*) and present top 30 IP's with most occurrences in the log files. This would help the user to pick up any suitable one for spoofing his IP.


TOP 30 IP's Found in log files:

2278 times -----> 255.255.255.255
126 times -----> 127.0.0.1
104 times -----> 192.168.1.1
96 times -----> 192.168.1.7
90 times -----> 192.168.1.5
.... upto 30 entries


Any further comments guys?

Rgds

__Yum__
12-21-2015, 12:06 PM
Thanks to b0nd for this script. nicely taken care of binary log files. history -c , -w OR clearing lines from .bash_history would be plus.

As added feature, would be great if script can take care of history commands as well. I suppose, sysadmins will find someone did something nasty on machine if history is not cleaned.

b0nd
12-22-2015, 07:50 AM
Hey, thanks for the input. It's hard for me to recall scripts features now. What I remember is - I coded v0.3 of it and it was nearly complete when I stuck badly with one functionality of it and could never complete the script that time.
V0.3 had massive improvements; need to find it buried deep down in some directory (hopefully) - it's been years now.

Cheers!