--- /dev/null
+ ------------------------------------------------------------------------------\r
+\r
+\r
+\r
+ ################################################\r
+ # #\r
+ # HOW TO COVER YOUR TRACKS #\r
+ # #\r
+ ################################################\r
+\r
+\r
+\r
+ PART ONE : THEORY & BACKGROUND\r
+\r
+\r
+\r
+ I. INTRODUCTION\r
+ II. MENTAL\r
+ III. BASICS\r
+ IV. ADVANCED\r
+ V. UNDER SUSPECT\r
+ VI. CAUGHT\r
+ VII. PROGRAMS\r
+ VIII. LAST WORDS\r
+\r
+\r
+\r
+\r
+ I. INTRODUCTION\r
+ ----------------------------------------------------------------------\r
+\r
+ Please excuse my poor english - I'm german so it's not my mother\r
+ language I'm writing in. Anyway if your english is far better than\r
+ mine, then don't think this text hasn't got anything to offer you.\r
+ In contrast. Ignore the spelling errors & syntax - the contents\r
+ of this document is important ...\r
+\r
+ NOTE : This text is splitted into TWO parts.\r
+ The first one, this, teachs about the background and theory.\r
+ The second just shows the basics by an easy step-by-step\r
+ procedure what to type and what to avoid.\r
+ If you are too lazy to read this whole stuff here (sucker!)\r
+ then read that one. It's main targets are novice unix hackers.\r
+\r
+ If you think, getting the newest exploits fast is the most important\r
+ thing you must think about and keep your eyes on - you are wrong.\r
+ How does the best exploit helps you once the police has seized your\r
+ computer, all your accounts closed and everything monitored?\r
+ Not to mention the warrants etc.\r
+ No, the most important thing is not to get caught.\r
+ It is the FIRST thing every hacker should learn, because on many\r
+ occasions, especially if you make your first hacks at a site which\r
+ is security conscious because of many break-ins, your first hack can\r
+ be your last one (even if all that lays back a year ago "they" may\r
+ come up with that!), or you are too lazy to change your habits\r
+ later in your career.\r
+ So read through these sections carefully!\r
+ Even a very skilled hacker can learn a bit or byte here.\r
+\r
+ So this is what you find here:\r
+ Section I - you are reading me, the introduction\r
+ Section II - the mental things and how to become paranoid\r
+ 1. Motivation\r
+ 2. Why you must become paranoid\r
+ 3. How to become paranoid\r
+ 4. Stay paranoid\r
+ Section III - the basics you should know BEFORE begin hacking\r
+ 1. Preface\r
+ 2. Secure Yourself\r
+ 3. Your own account\r
+ 4. The LOGs\r
+ 5. Don't leave a trace\r
+ 6. Things you should avoid\r
+ Section IV - the advanced techniques you should take a notice of\r
+ 1. Preface\r
+ 2. Prevent Tracing of any kind\r
+ 3. Find and manipulate any log files \r
+ 4. Check the syslog configuration and logfile\r
+ 5. Check for installed security programs\r
+ 6. Check the admins \r
+ 7. How to "correct" checksum checking software \r
+ 8. User Security Tricks\r
+ 9. Miscellaneous\r
+ Section V - what to do once you are under suspect\r
+ Section VI - the does and dont's when you got caught\r
+ Section VII - a short listing of the best programs for hiding\r
+ Section VIII- last words, the common bullshit writers wanna say\r
+\r
+ So read carefully and enlighten yourself.\r
+\r
+\r
+\r
+\r
+\r
+\r
+ II. MENTAL\r
+ ----------------------------------------------------------------------\r
+\r
+ CONTENTS: 1. Motivation\r
+ 2. Why you must become paranoid\r
+ 3. How to become paranoid\r
+ 4. Stay paranoid\r
+\r
+\r
+ * 1. MOTIVATION *\r
+ The mental aspect is the key to be successful in anything.\r
+\r
+ It's the power to motivate yourself, fight on if it hurts,\r
+ being selfdisciplined, paranoid & realistic, calculate risks\r
+ correctly and do stuff you don't like but are important even\r
+ if you'd like to go swimming now.\r
+\r
+ If you can't motivate yourself to program important tools,\r
+ wait for the crucial time to hit the target, then you'll never\r
+ get anywhere with your "hacks"\r
+\r
+ A successful and good hacker must meet these mental requirements.\r
+ It's like doing bodybuilding or a diet - you can learn it\r
+ if you really try.\r
+\r
+ EVEN THE BEST KNOWLEDGE WON'T HELP YOU UNTIL YOU ARE REALLY\r
+ CONCERNED TO DO THE PREVENTIONS AND ACTUAL MAKE THEM !\r
+\r
+\r
+ * 2. WHY YOU MUST BECOME PARANOID *\r
+ It's right that normally being paranoid is not something which\r
+ makes your life happier.\r
+ However if you aren't expecting the worst, anything can hit you and\r
+ throw you off balance. And you are risking very much with your doings.\r
+ In your normal life you don't need to worry much about cops, thieves\r
+ and therelike. But if you are on the other side remember that you make\r
+ other people a hard life and bring them nightmares plus work - and\r
+ they want to stop you.\r
+ Even if you don't feel like committing a crime - you actually do.\r
+ Hacker-Witchhunting pops up fast and gets everyone who might be involved.\r
+ It's the sad thing : YOU ARE GUILTY UNTIL PROVEN OTHERWISE !\r
+ Once you've got the stigma being a hacker you'll never get it off.\r
+ Once having an entry in your police record it's very hard to find a job.\r
+ Especially no software company, even no computer related company will\r
+ ever hire you, they will be afraid of your skills, and you will see\r
+ yourself being forced to emmigrate or your life lost.\r
+ Once you fall down only a few can get up again.\r
+\r
+ Become paranoid!\r
+ Protect yourself!\r
+ Remember you have got everything to loose!\r
+ Never feel silly doing THAT extraordinary action against tracing!\r
+ Never bother if someone laughs on your paranoid doing!\r
+ Never be too lazy or tired to modify the logs!\r
+ A hacker must do his work 100% !\r
+\r
+\r
+ * 3. HOW TO BECOME PARANOID *\r
+ If you've read the part above and you think thats true, it's easy -\r
+ you've got already become paranoid. But it must become a substantial\r
+ part of your life. If you made it becoming a good hacker always think\r
+ about whom to tell what, and that you phone calls and emails might be\r
+ monitored. Always the reread the section above.\r
+\r
+ If the above didn't helped you, then think about what happens if\r
+ you are caught. Would your girlfriend stay at your side? Even if\r
+ her father speaks a hard word? Do you want to see your parents cry?\r
+ Thrown from your school/university/job?\r
+\r
+ Don't give this a chance to happen!\r
+\r
+ If even this is not enough to motivate you:\r
+ KEEP AWAY FROM HACKING!\r
+ You are a danger to the whole hacking society and your friends !\r
+\r
+\r
+ * 4. STAY PARANOID *\r
+ I hope you learned now why it is important to become paranoid.\r
+ So stay paranoid. One mistake or lazy moment could suffice to ruin\r
+ your life or career.\r
+\r
+ Always remember the motivation to do it.\r
+\r
+\r
+\r
+\r
+\r
+\r
+ III. BASICS\r
+ ----------------------------------------------------------------------\r
+\r
+ CONTENTS : 1. Preface\r
+ 2. Secure Yourself\r
+ 3. Your own account\r
+ 4. The LOGs\r
+ 5. Don't leave a trace\r
+ 6. Things you should avoid\r
+\r
+\r
+ * 1. PREFACE *\r
+ You should know this and practice it before you start your first hack.\r
+ These are the absolute basics, without them you are in trouble soon.\r
+ Even an experienced hacker can find a new hint/info in here.\r
+\r
+\r
+ * 2. SECURE YOURSELF *\r
+ What if a SysAdmin reads your email?\r
+ What if your phone calls are recorded by the police?\r
+ What if the police seizes your computer with all your hacking data on it?\r
+\r
+ If you don't receive suspicious email, don't talk about hacking/phreaking\r
+ on the phone and haven't got sensitive/private files on your harddisk\r
+ then you don't need to worry. But then again you aren't a hacker.\r
+ Every hacker or phreaker must keep in touch with others and have got\r
+ his data saved somewhere.\r
+\r
+ Crypt every data which is sensitive!\r
+ Online-Harddisk-Crypter are very important and useful:\r
+ There are good harddisk crypters free available an the internet, which\r
+ behave fully transparent to your operating systems, i.e. the packages\r
+ listed below are tested and were found to be a hacker's first-choice:\r
+ - If you use MsDos get SFS v1.17 or SecureDrive 1.4b\r
+ - If you use Amiga get EnigmaII v1.5\r
+ - If you use Unix get CFS v1.33\r
+ File Crypters: You can use any, but it should use one of the well known\r
+ and secure algorythms. NEVER use a crypting program which can be\r
+ exported because their effective keylengths are reduced!\r
+ - Triple DES\r
+ - IDEA\r
+ - Blowfish (32 rounds)\r
+ Encrypt your emails!\r
+ - PGP v2.6.x is used most so use it too.\r
+ Encrypt your phonecalls if you want to discuss important things.\r
+ - Nautilus v1.5a is so far the best\r
+ Encrypt your terminal sessions when connected to a unix system.\r
+ Someone might be sniffing, or monitoring your phone line.\r
+ - SSH is the so far most secure\r
+ - DES-Login is fine too\r
+\r
+ Use strong passwords, non-guessable passwords which are not mentioned\r
+ in any dictionary. They should seem random but good to remember for\r
+ yourself. If the keylength is allowed to be longer than 10 chars,\r
+ use that, and choose a sentence from a book, slightly modified.\r
+ Please crypt phonenumbers of hacker friends twice. And call them from\r
+ payphones/officephones/etc. only, if you don't encrypt the conversation.\r
+\r
+ The beginner only needs PGP, a filecrypter and an online-hardisk-crypter.\r
+ If you are really deep into hacking remember to encrypt everything.\r
+\r
+ Make a backup of your data (Zip-Drive, other harddisk, CD, Tape),\r
+ crypted of course, and store it somewhere which doesn't belong to any\r
+ computer related guy or family member and doesn't belong to your house.\r
+ So if a defect, fire or fed raid occures you got a backup of your data.\r
+\r
+ Keep written notices only as long as you really need them. Not longer.\r
+ Keeping them in an encrypted file or on an encrypted partition is much\r
+ more secure. Burn the papers once you don't need them anymore.\r
+ You can also write them down with a crypt algorythm which only you\r
+ know of, but don't tell others and don't use it too often or it can be\r
+ easily analyzed and broken.\r
+\r
+ Really hardcore or ultra paranoid hackers should consider too the\r
+ TEMPEST Project. Cops, spies and hackers could monitor all your\r
+ doings. A well equipted man could have *anything* he wants :\r
+ Electronic pulse emanation can be catched from more than 100 meters\r
+ away and show your monitor screen to somebody else, a laserpoint to\r
+ your window to hear private conversations, or identifying hifrequency\r
+ signals of keyboard clicks ... so possiblities are endless\r
+ Lowcost prevention can be done by electronic pulse jammers and \r
+ therelike which become available on the public market, but I don't\r
+ think this is secure enough to keep anyone dedicated away.\r
+\r
+\r
+\r
+ * 3. YOUR OWN ACCOUNT *\r
+ So let's talk about your own account. This is your real account you\r
+ got at your school/university/job/provider and is associated with\r
+ your name. Never forget to fail these rules:\r
+\r
+ Never do any illegal or suspicious things with your real accounts!\r
+ Never even try to telnet to a hacked host!\r
+ Security mailing lists are okay to read with this account.\r
+ But *everything* which *seems* to have to do with hacking must be\r
+ either encrypted or be deleted as once.\r
+ Never leave/save hacking/security tools on your account's harddisk.\r
+ If you can, use POP3 to connect to the mailserver and get+delete your\r
+ email (or do it in an other way if you are experienced enough using unix)\r
+ Never give out your real email if your realname is in your .plan file\r
+ and/or geco field (remember the EXPN command from sendmail ...)\r
+ Give it only to guys who you can trust and are also security conscious,\r
+ because if they are caught you may follow (or if it's a fed, not a hacker)\r
+ Exchange emails with other hackers only if they are encrypted (PGP)\r
+ SysAdmins OFTEN snoop user directories and read other's email!\r
+ Or another hacker might hack your site and try to get your stuff!\r
+\r
+ Never use your account in a way which shows interest in hacking.\r
+ Interest in security is okay but nothing more.\r
+\r
+\r
+ * 4. THE LOGS *\r
+ There are 3 important log files:\r
+ WTMP - every log on/off, with login/logout time plus tty and host\r
+ UTMP - who is online at the moment\r
+ LASTLOG - where did the logins come from\r
+ there exist others, but those will be discussed in the advanced section.\r
+ Every login via telnet, ftp, rlogin and on some systems rsh are written\r
+ to these logs. It is VERY important that you delete yourself from those\r
+ logfiles if you are hacking because otherwise they\r
+ a) can see when did you do the hacking exactly\r
+ b) from which site you came\r
+ c) how long you were online and can calculate the impact\r
+\r
+ NEVER DELETE THE LOGS! It's the easiest way to show the admin that\r
+ a hacker was on the machine. Get a good program to modify the logs.\r
+ ZAP (or ZAP2) is often mentioned as the best - but in fact it isn't.\r
+ All it does is overwriting the last login-data of the user with zeros.\r
+ CERT already released simple programs which check for those zero'ed\r
+ entries. So thats an easy way to reveil the hacker to the admin too.\r
+ He'll know someone hacked root access and then all you work was worthless.\r
+ Another important thing about zap is that it don't report if it can't\r
+ find the log files - so check the paths first before compiling!\r
+ Get either a program which CHANGES the data (like CLOAK2) or a really\r
+ good one which DELETES the entries (like CLEAR).\r
+ \r
+\r
+ Normally you must be root to modify the logs (except for old distributions\r
+ which have got utmp and wtmp world-writable). But what if you didn't\r
+ made it hacking root - what can you do? Not very much :\r
+ Do a rlogin to the computer you are on, to add a new unsuspicous LASTLOG\r
+ data which will be displayed to the owner when he logs on next time.\r
+ So he won't get suspicious if he sees "localhost".\r
+ Many unix distributions got a bug with the login command. When you\r
+ execute it again after you logged already on, it overwrites the\r
+ login-from field in the UTMP (which shows the host you are coming\r
+ from!) with your current tty.\r
+\r
+ Where are these log files by default located? \r
+ That depends on the unix distribution.\r
+ UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log\r
+ WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log\r
+ LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log\r
+ on some old unix dists the lastlog data is written into $HOME/.lastlog\r
+\r
+\r
+ * 5. DON'T LEAVE A TRACE *\r
+ I encountered many hackers who deleted themselves from the logs.\r
+ But they forgot to erase other things they left on the machines :\r
+ Files in /tmp and $HOME\r
+\r
+ Shell History\r
+ It should be another as you current login account uses.\r
+ Some shells leave a history file (depends on enviroment configuration)\r
+ with all the commands typed. Thats very bad for a hacker.\r
+ The best choice is to start a new shell as your first command after\r
+ logging in, and checking every time for a history file in you $HOME.\r
+ History files :\r
+ sh : .sh_history\r
+ csh : .history\r
+ ksh : .sh_history\r
+ bash: .bash_history\r
+ zsh : .history\r
+ Backup Files :\r
+ dead.letter, *.bak, *~\r
+\r
+ In other words: do an "ls -altr" before you leave!\r
+\r
+ Here're 4 csh commands which will delete the .history when you log\r
+ out, without any trace.\r
+ mv .logout save.1\r
+ echo rm .history>.logout\r
+ echo rm .logout>>.logout\r
+ echo mv save.1 .logout>>.logout\r
+\r
+\r
+\r
+ * 6. THINGS YOU SHOULD AVOID *\r
+ Don't crack passwords on an other machine than your own, and then\r
+ only on a crypted partition. If you crack them on a e.g. university\r
+ and the root sees your process and examines it not only your hacking\r
+ account is history but also the site from which the password file is\r
+ and the university will keep all eyes open to watch out for you.\r
+ Download/grab the passwd data and crack them on a second computer or\r
+ in a background process. You don't need many cracked accounts, only a few.\r
+\r
+ If you run important programs like ypx, iss, satan or exploiting\r
+ programs then rename them before executing or use the small common\r
+ source to exchange the executed filename in the process list ... ever\r
+ security conscious user (and of course admin) knows what's going on\r
+ if he sees 5 ypx programs running in the background ...\r
+ And of course if possible don't enter parameters on the command line\r
+ if the program supports an interactive mode, like telnet.\r
+ Type "telnet" and then "open target.host.com" ... which won't show\r
+ the target host in the process list as parameter.\r
+\r
+ If you hacked a system - don't put a suid shell somewhere!\r
+ Better try to install some backdoors like ping, quota or login and\r
+ use fix to correct the atime and mtime of the file if you don't\r
+ have got another possiblity.\r
+\r
+\r
+\r
+\r
+\r
+\r
+ IV. ADVANCED\r
+ ----------------------------------------------------------------------\r
+\r
+ CONTENTS : 1. Preface\r
+ 2. Prevent Tracing of any kind\r
+ 3. Find and manipulate any log files \r
+ 4. Check the syslog configuration and logfile\r
+ 5. Check for installed security programs\r
+ 6. Check the admins \r
+ 7. How to "correct" checksum checking software \r
+ 8. User Security Tricks\r
+ 9. Miscellaneous\r
+\r
+\r
+ * 1. PREFACE * \r
+ Once you installed your first sniffer and begin to hack worldwide\r
+ then you should know and use these checks & techniques!\r
+ Use the tips presented here - otherwise your activity will be over soon.\r
+\r
+\r
+ * 2. PREVENT TRACING OF ANY KIND * \r
+ Sometimes your hacking will be noticed. Thats not a real problem -\r
+ some of your sites will be down but who cares, there are enough\r
+ out there to overtake. The *very* dangerous thing is when they try\r
+ to trace you back to your origin - to deal with you - bust you!\r
+\r
+ This short chapter will tell you every possiblity THEY have to trace\r
+ you and what possibilities YOU have to prevent that.\r
+\r
+ * Normally it should be *no* problem for the Admin to identify the\r
+ system the hacker is coming from by either : checking the log entries\r
+ if the hacker was really lame, taking a look at the sniffer output\r
+ the hacker installed and he's in too, any other audit software like\r
+ loginlog, or even show all estrablished connections with "netstat"\r
+ if the hacker is currently online - expect that they'll find out!\r
+ Thats why you *need* a gateway server.\r
+\r
+ * A gateway server in between - what is it?\r
+ Thats one of many many servers you have accounts on, which are\r
+ absolutely boring systems and you have got root access on.\r
+ You need the root access to alter the wtmp and lastlog files\r
+ plus maybe some audit logs do nothing else on these machines!\r
+ You should change the gateway servers on a regular basis, say\r
+ every 1-2 weeks, and don't use them again for at least a month.\r
+ With this behaviour it's unlikely that they will trace you back\r
+ to your next point of origin : the hacking server\r
+\r
+ * Your Hacking Server - basis of all activity\r
+ From these server you do begin hacking. Telnet (or better : remsh/rsh)\r
+ to a gateway machine and then to the target.\r
+ You need again root access to change the logs.\r
+ You should change your hacking server every 2-4 weeks.\r
+\r
+ * Your Bastian/Dialup server.\r
+ This is the critical point. Once they can trace you back to your\r
+ dialup machine you are already fried. A call to the police, a line\r
+ trace and your computer hacking activity is history - and maybe\r
+ the rest of your future too.\r
+ You *don't* need root access on a bastion host. Since you only\r
+ connect to it via modem there are no logs which must be changed.\r
+ You should use a different account to log on the system every day,\r
+ and try to use those which are seldom used.\r
+ Don't modify the system in any way!\r
+ You should've got at least 2 bastion host systems you can dialup\r
+ to and switch between them every 1-2 month.\r
+\r
+ Note: If you have got the possiblity to dialup different systems\r
+ every day (f.e. due blueboxing) then do so. you don't need\r
+ a hacking server then.\r
+\r
+ * Do bluebox/card your call or use an outdial or any other way.\r
+ So even when they capture back your bastion host, they can't\r
+ trace you (easily) ...\r
+ For blueboxing you must be cautious, because germany and the phone\r
+ companies in the USA do have surveillance systems to detect\r
+ blueboxers ... At&t traces fake cred card users etc.\r
+ Using a system in between to transfer your call does on the one side\r
+ make tracine more difficult - but also exposes you to the rish being\r
+ caught for using a pbx etc. It's up to you.\r
+ Note too that in f.e. Denmark all - ALL - calling data is saved!\r
+ Even 10 years after your call they can prove that *you* logged on\r
+ the dialup system which was used by a hacker ...\r
+\r
+ - Miscellaneous\r
+ If you want to run satan, iss, ypx, nfs filehandle guessing etc.\r
+ then use a special server for this. don't use it to actually\r
+ telnet/rlogin etc. to a target system, only use it for scanning.\r
+ Connect to it as if it were a gateway server.\r
+\r
+ Tools are out there which binds to a specific port, and when a\r
+ connection is established to this port, it's automatically opening\r
+ a connection to another server some other just act like a shell on the\r
+ system, so you do a "telnet" from this socket daemon too.\r
+ With such a program running you won't be written in any log except\r
+ firewall logs. There are numerous programs out there which do that\r
+ stuff for you. \r
+\r
+ If possible, the hacking server and/or the gateway machine should\r
+ be located in a foreign country!\r
+ Because if your breakin (attempt) was detected and your origin host\r
+ identified then most admins will tend to give up to hunt after you.\r
+ Even if the feds try to trace you through different countries it\r
+ will delay them by at least 2-10 weeks ...\r
+\r
+ # Conclusion : If you hack other stuff than univerisities then\r
+ do it this way! Here is a small picture to help you ;-)\r
+\r
+ +-------+ ~---------------> +-------------+ +-----------+\r
+ |+-----+| >hopefully > |one of at | |one of many|\r
+ || YOU || --> >a trace-safe > --> |least 3 | --> |hacking |\r
+ |+-----+| >dial possiblity> |bastion hosts| |server |\r
+ +-------+ ~---------------> +-------------+ +-----------+\r
+ |\r
+ |\r
+ v\r
+ +-----------------+ +--------+ +-----------+\r
+ |maybe additional | | the | |one hacked |\r
+ |server from | ... <-- ... | main | <-- |server as |\r
+ |internal network | | target | |gateway |\r
+ +-----------------+ +--------+ +-----------+\r
+\r
+\r
+\r
+ * 3. FIND AND MANIPULATE ANY LOG FILES *\r
+ It's important that you find all logfiles - even the hidden ones.\r
+ To find any kind of logfiles there are two easy possibilities :\r
+ 1) Find all open files.\r
+ Since all logfiles must write somewhere, get the cute program\r
+ LSOF - LiSt Open Files - to see them ... check them ... and\r
+ if necessary correct them.\r
+ 2) Search for all files changed after your login.\r
+ After your login do a "touch /tmp/check" then work on.\r
+ Later just do a "find / -newer /tmp/check -print" and check them\r
+ if any of those are audit files. see>check>correct.\r
+ Note that not all versions of find support the -newer option\r
+ You can also do a "find / -ctime 0 -print" or "find / -cmin 0 -print"\r
+ to find them.\r
+\r
+ Check all logfiles you find. Normally they are in /usr/adm, /var/adm or\r
+ /var/log.\r
+ If things are logged to @loghost then you are in trouble. You need\r
+ to hack the loghost machine to modify the logs there too ...\r
+\r
+ To manipulate the logs you can either do things like "grep -v", \r
+ or do a linecount with wc, and then cut off the last 10 lines with\r
+ "head -LineNumbersMinus10", or use an editor etc.\r
+ If the log/audit files are not textfiles but datarecords ... identify\r
+ the software which writes the logfiles. Then get the sourcecode. Then\r
+ find the matching header file which defines the structure of the file.\r
+ Get zap, clear, cloak etc. and rewrite it with the header file to use\r
+ with this special kind of logfile (and it would be kind to publish your\r
+ new program to the hacker society to safe others much work)\r
+\r
+ If accouting is installed then you can use the acct-cleaner from zhart,\r
+ also in this release - it works and is great!\r
+\r
+ A small gimmick if you must modify wtmp but can't compile a source and\r
+ no perl etc. is installed (worked on SCO but not on linux) :\r
+ Do a uuencode of wtmp. Run vi, scroll down to the end of the file, and\r
+ and delete the last 4 (!) lines beginning with "M" ... then save+exit,\r
+ uudecode. Then the last 5 wtmp entries are deleted ;-)\r
+\r
+ If the system uses wtmpx and utmpx as well you are in trouble ...\r
+ I don't know any cleaner so far who can handle them.\r
+ Program one and make it available for the scene.\r
+\r
+\r
+\r
+ * 4. CHECK THE SYSLOG CONFIGURATION AND LOG *\r
+ Most programs use the syslog function to log anything they want.\r
+ It's important to check the configuration where syslog does print\r
+ special types.\r
+ The config file is /etc/syslog.conf - and I won't tell you here what\r
+ the format is and what each entry means. Read the manpages about it.\r
+ Important for you are kern.*, auth.* and authpriv.* types.\r
+ Look where they are written too: files can be modified. If forwarded\r
+ to other hosts you must hack those too. If messages are sent to a user,\r
+ tty and/or console you can do a small trick and generate false log\r
+ messages like "echo 17:04 12-05-85 kernel sendmail[243]: can't resolve\r
+ bla.bla.com > /dev/console" or whichever device you want to flood so\r
+ that the message you want to hide simply scrolls over the screen.\r
+ These log files are *very* important! Check them.\r
+ \r
+\r
+ * 5. CHECK FOR INSTALLED SECURITY PROGRAMS\r
+ On most security conscious sites, there are security checkers run by\r
+ cron. The normal directory for the crontabs are /var/spool/cron/crontabs.\r
+ Check out all entries, especially the "root" file and examine the files\r
+ they run. For just a fast investigation of the crontabs of root type\r
+ "crontab -l root".\r
+\r
+ Some of those security tools are most time also installed on the admins'\r
+ accounts. Some of them (small utils to check wtmp, and if a sniffer is\r
+ installed) are in their ~/bin. \r
+ Read below to identify those admins and check their directories.\r
+ \r
+ Internal checking software can be tiger, cops, spi, tripwire, l5,\r
+ binaudit, hobgoblin, s3 etc.\r
+\r
+ You must examine them what they report and *if* they would report\r
+ something that would be a sign of your breakin.\r
+ If yes you can - update the data files of the checker (learn mode)\r
+ so that it won't report that type anymore\r
+ - reprogram/modify the software so that they don't report\r
+ it anymore. (I *love* fake cpm programs ;-)\r
+ - if possible remove the e.g. backdoor you installed\r
+ and try to do it in another way.\r
+ \r
+\r
+\r
+ * 6. CHECK THE ADMINS *\r
+ It is important for you to check the sysops for the security counter-\r
+ measures they do - so first you need to know which normal accounts are\r
+ they use.\r
+ You can check the .forward file of root and the alias entry of root.\r
+ Take a look into the sulog and note those people who did a successful\r
+ su to root. Grab the group file and examine the wheel and admin group\r
+ (and whatever other group are in this file which are related to\r
+ administration). Also grep'ing the passwd file for "admin" will reveile\r
+ the administrators.\r
+ Now you should know who the 1-6 administrators on the machines are.\r
+ Change into their directories (use chid.c, changeid.c or similar to\r
+ become the user if root is not allowed to read every file) and check\r
+ their .history/.sh_history/.bash_history to see what commands they type\r
+ usually. Check their .profile/.login/.bash_profile files to see what\r
+ aliases are set and if auto-security checks or logging are done.\r
+ Examine their ~/bin directory! Most times compiled security checking\r
+ programs are put there! And of course take a look into each directory\r
+ they've got beside that (ls -alR ~/).\r
+ If you find any security related stuff, read 5.) for possibilities to\r
+ bypass those protections.\r
+\r
+\r
+\r
+ * 7. HOW TO "CORRECT" CHECKSUM CHECKING SOFTWARE *\r
+ Some admins really fear hacker and install software to detect changes\r
+ of their valuable binaries. If one binary is tampered with, next time\r
+ the admin does a binary check, it's detected.\r
+ So how can you a) find out if such binary checkers are installed\r
+ and b) how to modify them so you can plant in your trojan horse?\r
+\r
+ Note that there are many binary checker out there and it's really easy\r
+ to write one - takes only 15 minutes - and can be done with a small\r
+ script. So it's hard to find such software if it's installed.\r
+ Note that internal security checking software sometimes also support such\r
+ checking. Here are some widely used ones :\r
+\r
+ SOFTWARE : STANDARD PATH : BINARY FILENAMES\r
+ tripwire : /usr/adm/tcheck, /usr/local/adm/tcheck : databases, tripwire\r
+ binaudit : /usr/local/adm/audit : auditscan \r
+ hobgoblin : ~user/bin : hobgoblin\r
+ raudit : ~user/bin : raudit.pl\r
+ l5 : compile directory : l5\r
+\r
+ But as you can see there are too much possibilities! The software or\r
+ database could even be on an normally unmounted disk or NFS exported\r
+ partition of another host. Or the checksum database is on a write\r
+ protected medium. There are too much possibilities. But normally you can\r
+ just do the fast check if the above packages are installed and if not\r
+ go on exchanging binaries. If you *don't* find them but it actually *is*\r
+ a very well secured site then you should NOT tamper with the binaries!\r
+ They sure have got them hidden very well.\r
+\r
+ But what do you do when you find that software installed and you can\r
+ modify them (e.g. not a write protected medium, or something that can\r
+ be bypasswd - for example unmounting the disk and remounting writable)?\r
+ You've got 2 possibilities :\r
+ First you can just check the parameters of the software and run an\r
+ "update" on the modified binary. For example for tripwire that's\r
+ "tripwire -update /bin/target".\r
+ Seconds you can modify the filelist of the binaries being checked -\r
+ removing the entry of the replaced one.\r
+ Note that you should also check if the database file itself is checked\r
+ too for changes! If yes - update/delete the entry as well.\r
+\r
+\r
+\r
+ * 8. USER SECURITY TRICKS *\r
+ This is a rare thing and is only for sake of completeness.\r
+ Some users, named admins and hackers, usually don't want their own\r
+ accounts to be used by someone else. That's why they sometimes put\r
+ some security features into their startup files.\r
+ So check all dotfiles (.profile, .cshrc, .login, .logout etc.)\r
+ what commands they execute, what history logging and which searchpath\r
+ they set. If f.e. $HOME/bin comes before /bin in the search path you\r
+ should check the contents of this directory ... maybe there's a program\r
+ called "ls" or "w" installed which logs the execution time and after\r
+ that executing the real program.\r
+ Other check automatically the wtmp and lastlog files for zap usage,\r
+ manipulation of .rhosts, .Xauthority files, active sniffers etc.\r
+ Never mess with an account a unix wizard is using! \r
+\r
+\r
+\r
+ * 9. MISCELLANEOUS *\r
+ Finally, before some last words about being under suspect or caught,\r
+ here are some miscellaneous things which a worth to take a notice off.\r
+\r
+ Old telnet clients do export the USER variable. An administrator who\r
+ knows that and modified the telnetd can get all user names with that\r
+ and so identify the account you are hacking from, once he notices you.\r
+ The new clients have been fixed - but a clever admin has got other\r
+ possiblities to identify the user : the UID, MAIL and HOME variables\r
+ are still exported and makes identifying of the account used by the\r
+ hacker easy. Before you do a telnet, change the USER, UID, MAIL and\r
+ HOME variable, maybe even the PWD variable if you are in the home\r
+ directory.\r
+\r
+ On HP-UX < v10 you can make hidden directories. I'm not talking about\r
+ . (dot) files or similar but a special flag. HP introduced it v9, but\r
+ was removed from version 10 (because it was only used by hackers ;-).\r
+ If you do a "chmod +H directory" it's invisible for the "ls -al".\r
+ To see the hidden directories you need to add the -H switch to ls, e.g.\r
+ "ls -alH" to see everything.\r
+\r
+ Whenever you are in need to change the date of a file, remember that\r
+ you can use the "touch" command to set the atime and mtime.\r
+ You can set the ctime only by raw writes to the harddisk ...\r
+\r
+ If you install sniffer and it's an important system, then make sure\r
+ that you either obfusicate the sniffer output (with an encryption\r
+ algorythm [and i'm not talking about rot13] or let the sniffer send\r
+ all the captured data via icmp or udp to an external host under your\r
+ control. Why that? If the admin finds somehow the sniffer (cpm and\r
+ other software checking for sniffers) they can't identify in the\r
+ logfile what data was sniffed, so he can't warn hosts sniffed by you.\r
+\r
+\r
+\r
+\r
+ V. UNDER SUSPECT\r
+ ----------------------------------------------------------------------\r
+\r
+ Once you are under suspect (by either police and/or administrator) you\r
+ should take special actions so they won't get evidence on you.\r
+\r
+ NOTE : If the administrators think you are a hacker,\r
+ YOU ARE GUILTY UNTIL PROVEN INNOCENT\r
+\r
+ The laws means nothing to the admins (sometimes I think the difference\r
+ between a hacker and an administrator is only that the computer belongs\r
+ to them). When they think you are a hacker you are guilty, without a\r
+ lawyer to speak for you. They'll monitor you, your mails, files, and,\r
+ if they are good enough, your keystrokes as well.\r
+\r
+ When the feds are involved, you phone line might be monitored too,\r
+ and a raid might come soon.\r
+\r
+ If you notice or fear that you are under suspect then keep absolutely\r
+ low profile! No offensive action which points to hacking should be done.\r
+\r
+ Best thing is to wait at least 1-2 month and do nothing.\r
+ Warn your friends not to send you any email, public normal only,\r
+ non-offensive mail is wonderful, put pgp encrypted emails will ring the\r
+ alarm bells of monitoring admins and feds. Cut down with everything,\r
+ write some texts or program tools for the scene and wait until things\r
+ have settled. Remember to encrypt all your sensitive data and remove\r
+ all papers with account data, phone numbers etc. Thats the most\r
+ important stuff the feds are looking for when they raid you.\r
+\r
+\r
+\r
+ VI. CAUGHT\r
+ ----------------------------------------------------------------------\r
+\r
+ Note that this small chapter covers only the ethics and basics and\r
+ hasn't got any references to current laws - because they are different\r
+ for every country.\r
+\r
+ Now we talking about the stuff you should/shouldn't do once the feds\r
+ visited you. There are two *very* important things you have to do :\r
+ 1) GET A LAWYER IMMEDEANTELY !\r
+ The lawyer should phone the judge and appeal against the search\r
+ warrant. This doesn't help much but may hinder them in their work.\r
+ The lawyer should tell you everything you need to know what the\r
+ feds are allowed to do and what not.\r
+ The lawyer should write a letter to the district attorney and/or\r
+ police to request the computers back as fast as possible because\r
+ they are urgently needed to do business etc.\r
+ As you can see it is very useful to have got a lawyer already\r
+ by hand instead of searching for one after the raid.\r
+ 2) NEVER TALK TO THE COPS !\r
+ The feds can't promise you anything. If they tell you, you'll get\r
+ away if you talk, don't trust them! Only the district attorney\r
+ has got the power to do this. The cops just want to get all\r
+ information possible. So if you tell them anything they'll have\r
+ got more information from and against you.\r
+ You should *always* refuse to give evidence - tell them that you\r
+ will only talk with them via your lawyer.\r
+\r
+ Then you should make a plan with your lawyer how to get you out of this\r
+ shit and reduce the damage.\r
+ But please keep in mind : don't betray your friends. Don't tell them\r
+ any secrets. Don't blow up the scene.\r
+ If you do, that's a boomerang : the guys & scene will be very angry\r
+ and do revenge, and those guys who'll be caught because of your\r
+ evidence will also talk ... and give the cops more information about\r
+ *your* crimes!\r
+\r
+ Note also that once you are caught you get blamed for everything which\r
+ happened on that site. If you (or your lawyer) can show them that they\r
+ don't have got evidences against you for all those cases they might\r
+ have trouble to keep the picture of that "evil hacker" they'll try to\r
+ paint about you at the court. If you can even prove that you couldn't\r
+ do some of the crimes they accuse you for then your chances are even\r
+ better. When the judge sees that false accuses are made he'll suspect\r
+ that there could be more false ones and will become distrusted against\r
+ the bad prepared charges against you.\r
+\r
+ I get often asked if the feds/judge can force you to give up your\r
+ passwords for PGP, encrypted files and/or harddisks.\r
+ That's different for every country. Check out if they could force you\r
+ to open your locked safe.\r
+ If that's the case you should hide the fact that you are crypting your\r
+ data! Talk with your lawyer if it's better for you to stand against\r
+ the direction to give out the password - maybe they'd get evidences\r
+ which could you get into jail for many years.\r
+\r
+ (For german guys : THC-MAG #4 will have got an article about the german\r
+ law, as far as it concerns hacking and phreaking - that article will\r
+ be of course checked by a lawyer to be correct. Note that #4 will only\r
+ discuss germany and hence will be in the german language.\r
+ But non-germans, keep ya head up, this will be the first and last german\r
+ only magazine release ;-)\r
+\r
+\r
+\r
+\r
+ VII. PROGRAMS\r
+ ----------------------------------------------------------------------\r
+\r
+ Here is a small list of programs you should get and use (the best!).\r
+ DON'T email me where to get them from - ask around in the scene!\r
+ I only present here the best log modifiers (see III-4 and IV-3).\r
+ Other programs which are for interest are telnet redirectors (see IV-2)\r
+ but there are so many, and most compile only on 1-3 unix types so there's\r
+ no use to make a list.\r
+\r
+ First a small glossary of terms :\r
+ Change - Changes fields of the logfile to anything you want\r
+ Delete - Deletes, cuts out the entries you want\r
+ Edit - real Editor for the logfile\r
+ Overwrite - just Overwrites the entries with zero-value bytes.\r
+ Don't use such software (f.e. zap) - it can be detected!\r
+\r
+ LOG MODIFIER\r
+ ah-1_0b.tar Changes the entries of accounting information\r
+ clear.c Deletes entries in utmp, wtmp, lastlog and wtmpx\r
+ cloak2.c Changes the entries in utmp, wtmp and lastlog\r
+ invisible.c Overwrites utmp, wtmp and lastlog with predefines values, so\r
+ it's better than zap. Watch out, there are numerous inv*.c !\r
+ marryv11.c Edit utmp, wtmp, lastlog and accounting data - best!\r
+ wzap.c Deletes entries in wtmp\r
+ wtmped.c Deletes entries in wtmp\r
+ zap.c Overwrites utmp, wtmp, lastlog - Don't use! Can be detected!\r
+\r
+\r
+\r
+\r
+ VIII. LAST WORDS\r
+ ----------------------------------------------------------------------\r
+\r
+ Last fucking words:\r
+ Don't get caught, remember these tips and keep your ears dry.\r
+ If someone would like to correct some points, or would like to\r
+ add a comment, or needs more information on a topic or even thinks\r
+ something's missing - then drop me a note.\r
+\r
+\r
+ van Hauser\r
+\r
+\r
+\r
+Type Bits/KeyID Date User ID\r
+pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS\r
+\r
+-----BEGIN PGP PUBLIC KEY BLOCK-----\r
+Version: 2.6.3i\r
+\r
+mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H\r
+ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+\r
+Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT\r
+tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB\r
+5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7\r
+/yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0\r
+m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv\r
+3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3\r
+UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS\r
+yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD\r
+BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7\r
+KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0\r
+a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy\r
+iIvvlA==\r
+=nX2w\r
+-----END PGP PUBLIC KEY BLOCK-----\r
+\r
+ ------------------------------------------------------------------------------\r
+\1a
\ No newline at end of file
projects / oweals / thc-archive.git / blobdiff