--- /dev/null
+ ------------------------------------------------------------------------------\r
+\r
+\r
+\r
+ ################################################\r
+ # #\r
+ # HOW TO COVER YOUR TRACKS #\r
+ # #\r
+ ################################################\r
+\r
+\r
+\r
+\r
+ PART TWO : PRACTICE\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+ I. THE FIRST COMMAND\r
+\r
+ The first command you should enter after logging in with a hacked account\r
+ is a shell different from the one you are currently running as login shell.\r
+ The purpose is to disable history saving of the commands you'll type in\r
+ while hacking. A history check by the real user or sysadmin reveils your\r
+ presence and what you did!!\r
+ If you are running a CSH then execute a SH and vice versa.\r
+\r
+$ <- this is a SH prompt\r
+% <- this is a CSH prompt\r
+\r
+ If it does not look like the standard prompts above then execute SH.\r
+ If the prompt stays the same, type "exit" and execute the CSH ...\r
+ The reason for using these two shells and not bash, ksh, zsh etc. is\r
+ that these two are simple with no extra options enabled by default\r
+ (like history saving).\r
+\r
+\r
+ II. LASTLOG WORKAROUND\r
+\r
+ If you saw a text like "Last successful login from alpha.master.mil"\r
+ when you logged on with the hacked account and you can't hack root or\r
+ don't want to disrupt the system logs with deleting data then execute\r
+ the following : "rlogin <the_host_you_are_on>" and provide again the\r
+ password of the hacked account if necessary. After seeing the shell\r
+ prompt type exit to be back again. This will change the header\r
+ "Last login from ..." etc. to the <current host> or "localhost" \r
+ which is much more unsuspicious than "site.real.user.never.saw.com"\r
+ Of course you only need to do this if your origin host might attract\r
+ attention to user and/or sysadmin.\r
+\r
+\r
+ III. WHO WORKAROUND\r
+\r
+ After completing step 1 + 2 type "w" ... you'll see all currently\r
+ online users ... with the adress they logged on from. Once again\r
+ something like your origin host in the netherlands will be very\r
+ suspicious to users and/or root if the site is in the usa.\r
+ If you can't hack root or once again don't want to tamper with the\r
+ log files you can try a bug which works still for many up2date\r
+ unix distributions: just execute "login" with the same login+password.\r
+ Type "w" again and if it worked, your origin will be changed to\r
+ something like "tty05".\r
+ Of course you only need to do this if your origin host might attract\r
+ attention by other users and/or sysadmin.\r
+ \r
+\r
+ V. EXECUTING PROGRAMS\r
+\r
+ Don't execute programs with suspicous names ... ISS and YPX are for\r
+ example very suspicous, and a skilled admin knows what's going on if\r
+ he sees a user running "loadmodule SandraBullok" on his Sun ... ;-)\r
+ Either you copy & rename the commands or you use those sources around\r
+ which exchanges the command name in the process list.\r
+ Btw. the process list can be checked by "ps -ef" or "ps -auxwww" and\r
+ the current command every user is executing with "w" and the most CPU\r
+ consuming processes with "top" ... so it's really easy to monitor \r
+ the programs the user(s) are running.\r
+\r
+\r
+ VI. EXECUTING TELNET\r
+\r
+ There are only two things which should be said about about using telnet\r
+ for hacking purpose (e.g. doing a telnet to the next target).\r
+ First NEVER just type "telnet target.host.com". Type "telnet" and then\r
+ "open target.host.com" which will not show up as parameter in the process\r
+ list. The seconds is that some telnet clients do export enviroment\r
+ variables. And if your hack is detected and they could trace the\r
+ connection back to your origin host they could also have got the account\r
+ you used on the origin host. So redefine (to anything you want) the\r
+ following environement variables before starting telnet, rlogin or similar: \r
+ USER, LOGNAME, UID, HOME, MAIL - maybe you should do a "cd /tmp" too\r
+ to change the PWD variable too ...\r
+ To change those variables ->\r
+ SH : <variable>=<new_value>;export <variable>\r
+ example : USER=nobody;export USER\r
+ CSH: setenv <variable> <new_value>\r
+ example : setenv USER nobody\r
+ \r
+ and don't forget to reset the variables after your telnet if you want to\r
+ do something with the account before you log out.\r
+\r
+\r
+ VII. REMOVE YOUR FILES\r
+\r
+ When you tried exploits - successful or not - delete them immedeantely\r
+ after trying them - especially if you try them in /tmp !\r
+ Nothing is more interesting than snooping in the /tmp directory to see\r
+ what other users are doing ... If you really need to work in the temp\r
+ directory (because suid is squashed in your home dir) then create a\r
+ usual directory like ".X11", and give it 711 permissions.\r
+ Remember, if someone snoops in the directories while you are hacking or\r
+ your loose connection and can't relogin or you forget about them you\r
+ are in deep trouble.\r
+\r
+\r
+ --> ! The following 2 points are only possible with root access ! <--\r
+\r
+\r
+ VI. MODIFYING THE LOGS\r
+\r
+ The important log files are LASTLOG, WTMP and UTMP.\r
+ If you were successful in hacking root then you should modify them.\r
+ They can usually be found in /etc, /var/adm or /var/log ... it differs,\r
+ just check the man pages.\r
+ Which tools should you use? ZAP (or ZAP2) is nice, but it does NOT delete\r
+ you from the logs but overwrite the entries with zeros. CERT already\r
+ published tools which easily check the logs for those overwritten entries.\r
+ And nothing shouts more "Hey there's a hacker on the system with root\r
+ access!" into the sysadmin's face than that.\r
+ Important for ZAP : Check the paths defined in the sources for the logs!\r
+ Try CLOAK2 which can change the data of the important data fields ;) But\r
+ it doesn't compile on all unix OS types.\r
+ You can also try CLEAR, included in this magazine, which REALLY deletes\r
+ the entries ... ;)\r
+\r
+ \r
+ VII. SYSLOG & LASTCOMM\r
+\r
+ You should also check the syslog messages logfile if maybe entries with\r
+ your hacked account or your origin host are in it. It's usually located\r
+ in /var/adm or /var/log ... most time it's called "messages" but again\r
+ can differ - and also check other logfiles there which are generated by\r
+ auth.* and authpriv.* messages (and of course xferlog etc.).\r
+ Check the file /etc/syslog.conf to see the correct file and check out what\r
+ is logged to which file/program/mail/user.\r
+ If you see something like "@loghost" and you find your origin host in\r
+ the messages file than you've got a problem. It's also logged at another\r
+ site which is most time not accessible from remote. But try to install\r
+ a sniffer, (see section VIII. !) and check if a root does a successful\r
+ login to the loghost - and then you've got also the password for that\r
+ host and are in to handle the problem ;)\r
+ To remove f.e. your hostname from the "messages" logfile execute :\r
+ "grep -v evil.host.com messages > /tmp/tmpfile; mv /tmp/tmpfile messages"\r
+\r
+ LASTCOMM (from accton etc.) is a tool to log all executed commands, with\r
+ a flag if the file executed had the SUID flag set and if a command was\r
+ executed by root. You can find this logfile in the same directory as the\r
+ syslog file. That's a really evil tool against hackers but - luck! -\r
+ most times it is not installed. But now you don't have to fear that\r
+ anymore :) Get Zhart's excellent ACCT Cleaner and feel the freedom ;-)\r
+\r
+ \r
+ VIII. INSTALLING TROJANS\r
+\r
+ When you install a sniffer, remember that anyone can execute "ifconfig -a"\r
+ to check if the card is in promiscious mode. Get a rootkit for your unix\r
+ OS and replace it. Run fixer.c on it for the correct checksum and date/time\r
+ but check the root account first if maybe tripwire or other binary checker\r
+ are installed! Remember this for every binary you replace. If the binary\r
+ is in a directory which is NFS mounted and can't be remounted in write mode\r
+ then you must first hack the NFS host - life isn't easy sometimes ;)\r
+\r
+\r
+\r
+ X. THE END\r
+\r
+ I hope you had fun and learned alot from these two textfiles, the\r
+ theory/background and the practice one.\r
+ For updates, tips, tricks etc. just email me at -> mc@thc.net\r
+ Remember : Never get lazy. Every work must be done 100% -\r
+ or face the consequences!\r
+\r
+\r
+ van Hauser\r
+\r
+\r
+\r
+Type Bits/KeyID Date User ID\r
+pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS\r
+\r
+-----BEGIN PGP PUBLIC KEY BLOCK-----\r
+Version: 2.6.3i\r
+\r
+mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H\r
+ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+\r
+Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT\r
+tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB\r
+5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7\r
+/yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0\r
+m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv\r
+3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3\r
+UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS\r
+yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD\r
+BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7\r
+KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0\r
+a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy\r
+iIvvlA==\r
+=nX2w\r
+-----END PGP PUBLIC KEY BLOCK-----\r
+\r
+ ------------------------------------------------------------------------------\r
+\1a
\ No newline at end of file