GhostCow
Nov 21 2003, 09:54 AM
hey i just wanted to ask yall:
1. how does one remove selectively commands recorded in ps aux?
2. what are the log clearers you use? (and dont say rm -rf /var/log/ because its very suspicious when suddenly all logs disappear) and how do you use them?*
ps*: for linux and *bsd systems
thanks!
coder
Nov 21 2003, 01:10 PM
packetstorm has a collection of log cleaning utilities...
http://packetstormsecurity.nl/UNIX/penetration/log-wipers/-------------------------------------------------
well, hiding from "ps aux" is a good question , wish i knew the answer
but cleaning logs might be easy if you have access to Perl? i suppose you'd want to remove the lines that contain your UserName & whatever commands you want to hide...
a lil' something like this maybe- this is psuedo Perl
read up on Perl Expressions, and replace Usernames/commands/logfiles with those that would be found on your part. distro...
| CODE |
open (LOG, "logfile");
@logs = <LOG>;
close (LOG);
open (NEWLOG, ">newlogfile");
foreach (@logs) {
$_ =~ s/your_user_name/another_user_name/;
print NEWLOG $_;
}
close (NEWLOG);
|
now this is just a start/idea- you could easily modify a script like this to eiether delete the entries, or switch the entries (like the sample above)... Perl Expressions are very handy, esp. for stuff like this
GhostCow
Nov 21 2003, 04:25 PM
thanks but i was asking what log cleaners YOU all use... i know that list in packetstorm...
coder
Nov 21 2003, 06:11 PM
oh, i like grep/gres
GhostCow
Nov 21 2003, 06:31 PM
please post it with explenations on how to use it that would be nice
coder
Nov 21 2003, 06:47 PM
bro, if you're rootin' around a unix box, you should know what grep is, shouldn't you?
man man
man grep
man gres
atomix
Nov 21 2003, 07:00 PM
;x grep atomix's nuts
GhostCow
Nov 21 2003, 08:00 PM
i am a little newbish to unix enviroment and i know the grep command but i didnt know how to use it very well thanks...
coder
Nov 21 2003, 08:05 PM
oh don't mind me, i'm just being an (filtered)...
here is a nice read on regexp (Regular Expressions, like those used in grep)
http://etext.lib.virginia.edu/helpsheets/regex.htmlthat should get you started
GhostCow
Nov 21 2003, 11:09 PM
yea but then there's the whole syslogd problem, bah!
i just need someone to recommend a darn good cleaner that can clear everything a certain account did including what is written in ps aux but thats not manditory
anyone?
TriHFH
Jan 20 2004, 05:27 AM
then...
| QUOTE |
pkill -9 syslogd
pkill -9 klogd
|
I just do that when i first login to a box... will take care of ur syslogd problem if you remember to do it every time
. Oh and then i do a
to remove that "Last logged in from IP.IP.IP.IP" text on some machines... and then a
to clear that... dunno if this helps, and there are probably other things i dont do which get logged, but im one of the biggest newbies you'll ever meet at *nix, so i dunno
d00m
Jan 31 2004, 08:27 AM
For any sort of "plain text" logs doing something like this can help:
cat logfile.txt |grep -v "entry u wanna remove" > /tmp/x;mv /tmp/x logfile.txt
GhostCow
Jan 31 2004, 08:50 AM
what other types of logs are there?
d00m
Feb 2 2004, 09:32 AM
The utmp and wtmp logs are not in plain text i.e. in binary format...so u need to use or code a log cleaner for these sort of logs. Check out the man pages for wtmp and utmp. btw....commands like "who" and "lastlog" use these files to find information like the current users logged in.
l0kal
Apr 15 2004, 07:39 AM
But do not forget to erase the latest lines in the $HOME/.bash_history .
If you root a box and copy the shadow file, the admin can always hit the up-button to see what you have been doing...
PS do NOT do this BEFORE you clean the log files...
fre4k
Apr 15 2004, 11:16 AM
there is a nice prog outside for linux called "Die Putze"
works fine !
Here you can download it
http://mitglied.lycos.de/white1/
Tyrano
Apr 15 2004, 07:59 PM
link redirects to some photo site fre4k
celox
Apr 16 2004, 04:07 PM
Just use llc log cleaner from packetstorm and use the read options and than modify those logs and clear or delete .bash_history.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
