Hack Logs and Linux Commands: What's Going On Here?
This morning, I received a message from a friend who was reading a hack log, and she had some questions about the commands used. This got me thinking, as Linux has a ton of commands and some can be archaic, yet useful. We are going to go over everything you need to know to read a hack log and hopefully implant the steps in your head for future use.
If you're wondering just what a hack log is, let me explain. All of your typed commands are saved in a history file named .bash_history, and once the system has been compromised and databases dumped, that history serves as a log of how the hack went down. As such, they are often released with notes and comments after such attack is performed.
Another example would be the post-snitch release for sup_g.
Now, before we get started, let's go over some of the more entry level commands. Knowing these will make understanding a hack log much more easy.
$ grep [options] [pattern] [file]
Grep is a tool to search for strings in a file (and so much more). Let's say you just downloaded a huge password dump and you need to locate a specific account. Grep is your tool. You can also pipe and redirect output from one command into grep to narrow down the information you need. It then highlights the string on most distros. Perhaps you need to locate a specific Firefox process running, you could type:
$ ps -e
And sift through the possibly long list it returns, or you can:
$ ps -e | grep [string]
Notice the pipe operator | is placed between the commands in the order the data should travel.
$ lsof [string]
Lsof lists open files. This might seem rather lackluster, until you remember that everything is considered a file in Linux. You can see open TCP ports by using:
$ lsof | grep TCP
Notice how useful grep and pipes are? This is also the same data from:
$ lsof -i
$ head [file]
$ tail [file]
These two commands allow us to view the first (head) and last (tail) ten lines of the specified file(s).
Here, we took the sqlmap.conf file and printed out the first and last ten lines. Often, when you've rooted a box, you know the order or certain log files and configs. It ends up being much faster to read the output with these commands then to open a file up in vim.
$ cat [options] [file]
Cat is short for concatenate and it will print out a file to standard output—your monitor in most cases.
This is useful if you need to view the contents of a small file quickly on the screen.
Top displays the running information of processes, uptime, and more. It's useful for seeing what's running when you're performing recon on a server.
While top is running, you can press the 'h' key to bring up a help screen with a list of commands, some of the more useful ones are:
- u [user name]
To display only the processes belonging to the user. Use + or blank to see all users.
- k [pid]
Kill the process with pid.
Let's take an example from the 2009 Astalavista hack by AntiSec. After exploiting their Light Speed HTTP daemon to get into the Apache account, they used a local privilege escalation exploit to gain root access. This is pretty much the end of the machine. Once someone has escalated their privileges to root, they 'own' the box. They can install rootkits, keyloggers, bots, deface website, etc.
sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*
ftp> cd astalavista.com
250 CWD command successful.
ftp> ls -la
ftp> mdelete *
mysql> drop database astanet_membersystem;
mysql> drop database com_contrexx;
mysql> drop database com_contrexx2;
mysql> drop database com_contrexx2_live;
mysql> drop database ideapool;
mysql> drop database yourmaster;
mysql> drop database astanet_ads;
mysql> drop database astanet_mailing_lists;
mysql> drop database astanet_mediawiki;
Basically, they did the following:
- Delete the local website, scripts and pages.
- Delete the temp, test and logs.
- Delete the user folders.
- Connected to the FTP backup site and deleted the backups.
- Connected to the Database and dropped all the website database tables.
They removed any existence of this website.
Looking over the commands and the order they were completed in will help make sense of what hacking really is. Hollywood and the media does a great job of making it seem like it's a mere few clicks of a mouse, a bunch of scrolling text, and some nefarious looking teenager saying "were in".
If you read over the hack logs, you might have noticed a lot of the work involved was actually on the databases, so next will be an introduction into SQL. Stay tuned!
Questions? Concerns? What commands did I leave out? Do you have any fly user tips? Leave us a comment or visit out our forum.