[hacker skills] how to cover up the traces of operation on the Linux system?

Operation steps

? Step 1: view and manipulate timestamps?

Most Linux systems contain tools that allow us to quickly view and modify timestamps, the most influential of which is "Touch", which allows us to create new files and update files. The last time the filegroup was "touched".

Touch?file

If the file does not exist, running the above command will create a new file called "file"; if it already exists, the command will update the modification date to the current system time. We can also use a wildcard, such as the string below.

Touch?*

This command updates the timestamp of each file in the folder in which it runs. After creating and modifying a file, there are several ways to view its details, the first of which is the "stat" command.

Stat?file

Running stat returns some information about the file, including access, modification, or update timestamps. You can use the ls parameter to view the timestamps of each file for a batch of files, and use "?-l" or "long", which lists the file details, including the output timestamp.

Ls?-l

You can now set the current timestamp and view the timestamp that has been set, or you can use touch to define a custom timestamp. You can use the "d" flag to define the date in yyyy-mm-dd format, followed by the hours, minutes, and seconds of the time, as follows:

Touch-d "2001-01-01 20:00:00"? file

Confirm the modification information through the ls command:

Ls?-l?file

This method is suitable for modifying individual timestamps, but it doesn't work well for hiding traces of operations on the server, and you can use shell scripts to automate the process.

? Step 2: organize Shell scripts?

Before you start writing a script, you need to think about what processes need to be performed. In order to hide the trace on the server, the attacker needs to write the original timestamp of the folder to a file and be able to return to the original file after any changes have been made.

These two different functions will be triggered according to the user's input or parameters, the script will perform the corresponding functions according to these parameters, and we need a way to handle errors. Three possible actions will be performed based on the user's input:

No parameters-an error message is returned

Save timestamp tag-Save timestamp to file

Recovery timestamp-the timestamp of the file is recovered based on the save list.

You can use nested statements if/or statements to create scripts, or you can assign each function to your own "if" statement based on conditions, and you can choose to start writing scripts in a text editor or nano.

? Step 3: start the script?

Start nano from the command line and create a script called "timestamps.sh" with the following command:

Nano timestamps.sh

Then make the following command:

#! / bin/bash

If? [$#?-eq 0]; then

Echo? "Use asave (- s) or restore (- r) parameter."

Exit?1

Fi

Press Ctrl + O in nano to save the file and mark it as a runnable script with the chmod command.

Chmod + x?timestamps.sh

Then run the script to test the ability to return an error message when there are no parameters. If the script returns our echo statement, we can move on to the next condition.

. / timestamps.sh

? Step 4: write the timestamp to the file?

Define the conditions for the if statement, and "- s" means to perform the save function:

If? [$1 million = "- s"];? then

Fi

Of course, you need to check whether the timestamp file you plan to save exists, and if so, we can delete it (a file named timestamps) to avoid duplicate or incorrect input, using the following command:

Rm?-f timestamps

Then use the "ls" command to list all files and their modification times, which can be output to another program, such as sed, to help us clean up this input later.

Ls?-l

The following display results usually appear:

-rw-r--r-- 1 user user 0 Jan 1 2017 file

To save the timestamp, we only need the year, month, day, and file name. The following command clears the information before "Jan":

Ls?-l?file? | sed?'s/ ^. * Jan/Jan/p'

What is displayed in this way is the information our program needs, but we just need to change the month format to a numerical format:

Ls?-l?file? | sed?'s/ ^. * Jan/01/p'

Replace all months with numbers:

Ls-l | sed-n's / ^. * Jan/01/p;s/ ^. * Feb/02/p;s/ ^. * Mar/03/p;s/ ^. * Apr/04/p;s/ ^. * May/05/p;s/ ^. * Jun/06/p;s/ ^. * Jul/07/p;s/ ^. * Aug/08/p;s/ ^. * Oct/10/p;s/ ^. * Nov/11/p S / ^. * Dec/12/p;'

Running in a folder, we will see the results shown in the following figure:

Then send the output to a file named "timestamps" via "> >":

Do?echo $x? | ls-l |? sed-n?'s/ ^. * Jan/01/p;s/ ^. * Feb/02/p;s/ ^. * Mar/03/p;s/ ^. * Apr/04/p;s/ ^. * May/05/p;s/ ^. * Jun/06/p;s/ ^. * Aug/08/p;s/ ^. * Sep/09/p;s/ ^. * Oct/10/p S / ^. * Nov/11/p;s/ ^. * Dec/12/p;'? > >? timestamps

At this point, the first two operations of the script are completed, and the result is shown below:

You can mark the test script with "- s" and check the saved information with cat:

. / timestamps.sh?-s

Cat?timestamps

? Step 5: recover the timestamp of the file?

After saving the original timestamp, you need to restore the timestamp so that others are not aware that the file has been modified, you can use the following command:

If?$1?=? "- r"; thenfi

Then use the following command to forward the contents of the text file and run it one by one:

Cat?timestamps | while?read?linedodone

Then assign some variables to make it easier to use the file data:

MONTH=$ (echo?$line? | cut-F1-d)

DAY=$ (echo?$line | cut-f2-d)

FILENAME=$ (echo?$line? | cut-f4-d)

YEAR=$ (echo?$line? | cut-f3-d)

Although these four variables are consistent in the saved timestamp file, if the timestamp occurred in the past year, it only shows the time, not the year. If we need to determine the current year, we can assign it as the year in which the script is written, or we can return the year from the system, and use the cal command to view the calendar.

Then retrieve the first line to display only the desired year information:

CURRENTYEAR=$ (cal | head-1? | cut-f6-- d | sed?'s/ g')

After defining all the variables, you can use the "if else" statement to update the timestamp of the file based on the formatted date, using the touch syntax:

Touch-d? "2001-01-01 20:00:00"? file

Because each time contains a colon, you can use the following "ifelse" statement to complete the operation, as shown in the following figure:

If? [? $YEAR?== *: *];? then

Touch-d?$CURRENTYEAR-$MONTH-$DAY?$YEAR:00?$FILENAME

Else

Touch-d? "$YEAR-$MONTH-$DAY"? $FILENAME

Fi

? Step 6: use a script?

The main commands used are as follows:

. / timestamps.sh?-s? Save file timestamp

Touch-d "2050-10-12-10-10-10-10-10-00" *? Modify the timestamp of all files in the directory

Ls?-a?? Confirm the modified file

. / timestamps.sh?-r? Restore the original timestamp of the file

Finally, you can run "ls-a" again to see if the timestamp of the file matches the timestamp of the previous backup, and the entire script is executed, as shown in the following figure:

Summary

This script is only used to remove some traces left behind after the attack on the server. In order to hide the trace, when hackers carry out specific attacks on the server, they must carefully consider every method used and how to hide their tracks after invading the server.

We learned from the above that timestamps are also "liar", so system administrators must be aware that many of their logs and protections can be manipulated, although there seems to be no exception.

-End-

I have some friends recently. Can I help you find some? Interview questions? Information, so I rummaged through the collection of 5T data, collected and sorted out, it can be said that programmer interview is necessary! All the materials have been sorted out on the net disk, welcome to download!