When a computer attack is carried out that can have legal or other consequences, one of the key points in which we usually commit an error is not to clean our trail well. In this post I will explain the operation of a set of scripts that will help us automate part of the process.
As there are different environments, I will explain the use of various scripts to automate the process.
Common Linux log files names and usage:
/var/log/messages : General message and system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail: Qmail log directory (more files inside this directory)
/var/log/httpd: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log: System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure or /var/log/auth.log : Authentication log
/var/log/utmp or /var/log/wtmp: Login records file
/var/log/yum.log: Yum command log file.
/var/log/btmp: Recordings of failed login attempts
/var/log/utmp: Current login state, by user
/var/run/utmp: Current login state, by user
/var/log/wtmp: login/logout history
/var/log/xferlog: Contains all FTP file transfer sessions
/var/log/daemon.log: Tracks services running in the background
/var/adm/lastlog: Information about the last logins for all users
/var/log/lastlog: Information about the last logins for all users
/usr/adm/lastlog: Information about the last logins for all users
/var/log/apache2: Debian / Ubuntu Linux Apache logs
/var/apache/log: Apache logs
/var/apache/logs: Apache logs
/usr/local/apache/log: Apache logs
/usr/local/apache/logs: Apache logs
/root/.bash_logout: Bash history
/root/.bash_history: Bash history
/root/.ksh_history: Bash history
In Windows-based computer systems, all of the log files are stored in the event viewer. In MAC, all logs are in ~/Library/Logs
Now I will show you some tools that will help us facilitate the process, or help create our own scripts for this purpose:
[WINDOWS] - Invoke-Phant0m:
Is a PowerShell script that is focused to the Windows Event Logging service (svchost.exe) because it is the main process from which information can be obtained from an attacker in a system of this type.
The svchost process is indispensable in the execution of shared services processes, where several services share processes in order to reduce the use of system resources.
The processes carried out by Invoke-Phant0m are the following:
Detects the process of the Windows event logging service in the target operating system.
Gets the list of threads and identifies the IDs of the Windows event log service thread.
Remove all threads over the Windows event logging service.
That is, if it is executed correctly, the Windows Event Log Service will stop working, so the destination system will not be able to collect or send the records, but it will appear in execution even if it is not active because the record has not been stopped. svchost.exe process for the Windows Event Log Service, but the related threads. This is the main advantage and purpose of Phant0m's. The service stops, but everything seems to be working.
Code: https://github.com/hlldz/Invoke-Phant0m
[WINDOWS] - Manually delete Windows logs:
Save this code as .cmd
Code: Select all
@echo off
FOR /F “tokens=1,2*” %%V IN (‘bcdedit’) DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F “tokens=*” %%G in (‘wevtutil.exe el’) DO (call :do_clear “%%G”)
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
[LINUX] - FreedomFighting script:
This script is responsible for removing the incriminating logs of folders:
/var/run/utmp, /var/log/wtmp, /var/log/btmp
/var/log/lastlog
/var/**/*.log
Any folder indicated by the user
The entries are deleted based on an IP address and / or the associated host name. A useful feature of the script is that it allows records to continue to be written after they have been manipulated, thus eliminating the suspicion that any log file has been modified. All the work is carried out in a tmpfs unit and the created files are cleaned safely.
With the command /nojail.py --help we obtain the parameters that we can pass to it. As you can see, the use is quite simple.
Code: https://github.com/JusticeRage/freedomfighting/blob/master/nojail.py
[LINUX and WINDOWS] - LogsKiller:
Set of scripts that delete the logs of both systems.
Code: https://github.com/Rizer0/Log-killer