1 ------------------------------------------------------------------------------
\r
5 ################################################
\r
7 # HOW TO COVER YOUR TRACKS #
\r
9 ################################################
\r
26 I. THE FIRST COMMAND
\r
28 The first command you should enter after logging in with a hacked account
\r
29 is a shell different from the one you are currently running as login shell.
\r
30 The purpose is to disable history saving of the commands you'll type in
\r
31 while hacking. A history check by the real user or sysadmin reveils your
\r
32 presence and what you did!!
\r
33 If you are running a CSH then execute a SH and vice versa.
\r
35 $ <- this is a SH prompt
\r
36 % <- this is a CSH prompt
\r
38 If it does not look like the standard prompts above then execute SH.
\r
39 If the prompt stays the same, type "exit" and execute the CSH ...
\r
40 The reason for using these two shells and not bash, ksh, zsh etc. is
\r
41 that these two are simple with no extra options enabled by default
\r
42 (like history saving).
\r
45 II. LASTLOG WORKAROUND
\r
47 If you saw a text like "Last successful login from alpha.master.mil"
\r
48 when you logged on with the hacked account and you can't hack root or
\r
49 don't want to disrupt the system logs with deleting data then execute
\r
50 the following : "rlogin <the_host_you_are_on>" and provide again the
\r
51 password of the hacked account if necessary. After seeing the shell
\r
52 prompt type exit to be back again. This will change the header
\r
53 "Last login from ..." etc. to the <current host> or "localhost"
\r
54 which is much more unsuspicious than "site.real.user.never.saw.com"
\r
55 Of course you only need to do this if your origin host might attract
\r
56 attention to user and/or sysadmin.
\r
61 After completing step 1 + 2 type "w" ... you'll see all currently
\r
62 online users ... with the adress they logged on from. Once again
\r
63 something like your origin host in the netherlands will be very
\r
64 suspicious to users and/or root if the site is in the usa.
\r
65 If you can't hack root or once again don't want to tamper with the
\r
66 log files you can try a bug which works still for many up2date
\r
67 unix distributions: just execute "login" with the same login+password.
\r
68 Type "w" again and if it worked, your origin will be changed to
\r
69 something like "tty05".
\r
70 Of course you only need to do this if your origin host might attract
\r
71 attention by other users and/or sysadmin.
\r
74 V. EXECUTING PROGRAMS
\r
76 Don't execute programs with suspicous names ... ISS and YPX are for
\r
77 example very suspicous, and a skilled admin knows what's going on if
\r
78 he sees a user running "loadmodule SandraBullok" on his Sun ... ;-)
\r
79 Either you copy & rename the commands or you use those sources around
\r
80 which exchanges the command name in the process list.
\r
81 Btw. the process list can be checked by "ps -ef" or "ps -auxwww" and
\r
82 the current command every user is executing with "w" and the most CPU
\r
83 consuming processes with "top" ... so it's really easy to monitor
\r
84 the programs the user(s) are running.
\r
87 VI. EXECUTING TELNET
\r
89 There are only two things which should be said about about using telnet
\r
90 for hacking purpose (e.g. doing a telnet to the next target).
\r
91 First NEVER just type "telnet target.host.com". Type "telnet" and then
\r
92 "open target.host.com" which will not show up as parameter in the process
\r
93 list. The seconds is that some telnet clients do export enviroment
\r
94 variables. And if your hack is detected and they could trace the
\r
95 connection back to your origin host they could also have got the account
\r
96 you used on the origin host. So redefine (to anything you want) the
\r
97 following environement variables before starting telnet, rlogin or similar:
\r
98 USER, LOGNAME, UID, HOME, MAIL - maybe you should do a "cd /tmp" too
\r
99 to change the PWD variable too ...
\r
100 To change those variables ->
\r
101 SH : <variable>=<new_value>;export <variable>
\r
102 example : USER=nobody;export USER
\r
103 CSH: setenv <variable> <new_value>
\r
104 example : setenv USER nobody
\r
106 and don't forget to reset the variables after your telnet if you want to
\r
107 do something with the account before you log out.
\r
110 VII. REMOVE YOUR FILES
\r
112 When you tried exploits - successful or not - delete them immedeantely
\r
113 after trying them - especially if you try them in /tmp !
\r
114 Nothing is more interesting than snooping in the /tmp directory to see
\r
115 what other users are doing ... If you really need to work in the temp
\r
116 directory (because suid is squashed in your home dir) then create a
\r
117 usual directory like ".X11", and give it 711 permissions.
\r
118 Remember, if someone snoops in the directories while you are hacking or
\r
119 your loose connection and can't relogin or you forget about them you
\r
120 are in deep trouble.
\r
123 --> ! The following 2 points are only possible with root access ! <--
\r
126 VI. MODIFYING THE LOGS
\r
128 The important log files are LASTLOG, WTMP and UTMP.
\r
129 If you were successful in hacking root then you should modify them.
\r
130 They can usually be found in /etc, /var/adm or /var/log ... it differs,
\r
131 just check the man pages.
\r
132 Which tools should you use? ZAP (or ZAP2) is nice, but it does NOT delete
\r
133 you from the logs but overwrite the entries with zeros. CERT already
\r
134 published tools which easily check the logs for those overwritten entries.
\r
135 And nothing shouts more "Hey there's a hacker on the system with root
\r
136 access!" into the sysadmin's face than that.
\r
137 Important for ZAP : Check the paths defined in the sources for the logs!
\r
138 Try CLOAK2 which can change the data of the important data fields ;) But
\r
139 it doesn't compile on all unix OS types.
\r
140 You can also try CLEAR, included in this magazine, which REALLY deletes
\r
144 VII. SYSLOG & LASTCOMM
\r
146 You should also check the syslog messages logfile if maybe entries with
\r
147 your hacked account or your origin host are in it. It's usually located
\r
148 in /var/adm or /var/log ... most time it's called "messages" but again
\r
149 can differ - and also check other logfiles there which are generated by
\r
150 auth.* and authpriv.* messages (and of course xferlog etc.).
\r
151 Check the file /etc/syslog.conf to see the correct file and check out what
\r
152 is logged to which file/program/mail/user.
\r
153 If you see something like "@loghost" and you find your origin host in
\r
154 the messages file than you've got a problem. It's also logged at another
\r
155 site which is most time not accessible from remote. But try to install
\r
156 a sniffer, (see section VIII. !) and check if a root does a successful
\r
157 login to the loghost - and then you've got also the password for that
\r
158 host and are in to handle the problem ;)
\r
159 To remove f.e. your hostname from the "messages" logfile execute :
\r
160 "grep -v evil.host.com messages > /tmp/tmpfile; mv /tmp/tmpfile messages"
\r
162 LASTCOMM (from accton etc.) is a tool to log all executed commands, with
\r
163 a flag if the file executed had the SUID flag set and if a command was
\r
164 executed by root. You can find this logfile in the same directory as the
\r
165 syslog file. That's a really evil tool against hackers but - luck! -
\r
166 most times it is not installed. But now you don't have to fear that
\r
167 anymore :) Get Zhart's excellent ACCT Cleaner and feel the freedom ;-)
\r
170 VIII. INSTALLING TROJANS
\r
172 When you install a sniffer, remember that anyone can execute "ifconfig -a"
\r
173 to check if the card is in promiscious mode. Get a rootkit for your unix
\r
174 OS and replace it. Run fixer.c on it for the correct checksum and date/time
\r
175 but check the root account first if maybe tripwire or other binary checker
\r
176 are installed! Remember this for every binary you replace. If the binary
\r
177 is in a directory which is NFS mounted and can't be remounted in write mode
\r
178 then you must first hack the NFS host - life isn't easy sometimes ;)
\r
184 I hope you had fun and learned alot from these two textfiles, the
\r
185 theory/background and the practice one.
\r
186 For updates, tips, tricks etc. just email me at -> mc@thc.net
\r
187 Remember : Never get lazy. Every work must be done 100% -
\r
188 or face the consequences!
\r
195 Type Bits/KeyID Date User ID
\r
196 pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
\r
198 -----BEGIN PGP PUBLIC KEY BLOCK-----
\r
201 mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
\r
202 ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
\r
203 Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
\r
204 tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
\r
205 5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
\r
206 /yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
\r
207 m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
\r
208 3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
\r
209 UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
\r
210 yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
\r
211 BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
\r
212 KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
\r
213 a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
\r
216 -----END PGP PUBLIC KEY BLOCK-----
\r
218 ------------------------------------------------------------------------------
\r