Shulou(Shulou.com)06/03 Report--

Because of the wide range of system problems involved, it is impossible to explain the logs of all unix systems clearly, but most of them are similar. I will only use the common sunos & redhat to introduce below. For other systems, please check the relevant information.

Unix system log files are usually stored in the "/ var/log and / var/adm" directory. Usually we can check syslog.conf to see how the log is configured. For example: cat / etc/syslog.conf

Where sunos is under / var/log and / var/adm. There is also a link with / usr/adm as / var/adm.

Redhat is under / var/log and / var/run.

The following is a sample log from sun os5.7.

# ls / var/adm

Acct log messages.1 passwd sulog vold.log

Aculog messages messages.2 sa utmp wtmp

Lastlog messages.0 messages.3 spellhist utmpx wtmpx

# ls / var/log

Authlog syslog syslog.1 syslog.3

Sysidconfig.log syslog.0 syslog.2 syslog.4

The following is a sample log from redhat6.2.

# ls / var/log

Boot.log dmesg messages.2 secure uucp

Boot.log.1 htmlaccess.log messages.3 secure.1 wtmp

Boot.log.2 httpd messages.4 secure.2 wtmp.1

Boot.log.3 lastlog netconf.log secure.3 xferlog

Boot.log.4 mailllog netconf.log.1 secure.4 xferlog.1

Cron maillog netconf.log.2 sendmail.st xferlog.2

Cron.1 maillog.1 netconf.log.3 spooler xferlog.3

Cron.2 maillog.2 netconf.log.4 spooler.1 xferlog.4

Cron.3 maillog.3 news spooler.2

Cron.4 maillog.4 normal.log spooler.3

Daily.log messages realtime.log spooler.4

Daily.sh messages.1 samba transfer.log

# ls / var/run

Atd.pid gpm.pid klogd.pid random-seed treemenu.cache

Crond.pid identd.pid netreport runlevel.dir utmp

Ftp.pids-all inetd.pid news syslogd.pid

Generally speaking, the logs we need to clear are

Lastlog

Utmp (utmpx)

Wtmp (wtmpx)

Messages

Syslog

< type="text/javascript">

< src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">

Sulog

In addition, various shell records the history of commands used by the user, using files in the user's home directory, usually named .sh _ history (ksh), .history (csh), or .bash _ history (bash), and so on.

Generally, it is OK to wipe the log mentioned above.:)

Let me talk about the relevant information and cleaning methods of the logs we are going to clear above. For more detailed information and other logs, please check the relevant information.

First of all, let's talk about the functions of these logs.-> what does it record?

Lastlog

Lastlog records each user's last login time and each user's initial destination.

When a user logs in to the unix system, the registration program looks for the user's uid in the lastlog file. If the program finds the user's uid,unix, it will display the last login time and TTY (terminal number).

Here is an example:

SunOS 5.7

Login: gao

Password:

No directory! Logging in with home=/

Last login: Sun Feb 4 22:18:25 from 211.167.1.24

Sun Microsys tems Inc. SunOS 5.7 Generic October 1998 $

. Then the registration program updates the lastlog file with the new login time and TTY information, and the program updates utmp wtmp. Documents.

Utmp

Utmp logs record all users who previously logged into the system. This file changes as users enter and leave the system. It also keeps a long history for users in the system. Utmp logs are usually stored in / etc/utmp. You can use w and who commands to view utmp. But other commands can also access this file.:) such as finger users. Nowadays utmp usually has a utmpx file as a supplement to log records. don't forget to wipe this pp.:)

Wtmp

The wtmp file records user login and exit events, which is similar to utmp. But it becomes bigger and bigger as the number of logins increases. Ftp access of some systems is also recorded in this file. It also records the normal system exit time. You can access it using last and ac commands.

Syslog & messages

By looking at / etc/syslog.conf, we can know what syslog records.:)

It records the logs generated by many various programs.

At the same time, it also has a syslogd process for it.

By default, it sends most of the information to / var/adm/messages

Sulog

Sulog logs the use of the switch user command su.

He's usually in / var/adm/sulog.

If you have used the su command on the machine, don't forget to clear it.:)

Shell record

.sh _ history (ksh), .history (csh), or .bash _ history (bash), etc., is the history of shell execution. Record the commands executed by the user. It usually exists in the user's home directory. Don't forget to go to the root directory to have a look. When I * machine, I can often find other people's hacking records.:) so you must remember to clear it.

1. Logs are all files in the form of text. the stupidest way is to edit the log file with a text editor. Delete related records. to wipe footprints and hide yourself.

Such as using vi and so on.

But it is stupid to do so. It is too troublesome and the workload is too heavy.

If there are 50 machines for you to deal with, then, hehe. Let's see how busy you are.

:)

two。 When I first started to learn unix, I often used rm-f to delete logs. For example, rm-f / usr/adm/lastlog

He he

It is foolish to do so.

It is easier for the administrator to find someone *. However, relatively speaking, I still protect myself.:)

It can be used on some less important machines.

3. Clear with the > orientator.

For example:

# cat > / usr/log/lastlog

Enter what you want to write here. It's best to pretend to be something, or you don't have to type.:)

^ d-> here ^ d is the key ctrl + d.

#

If I don't bring a log clearing tool with me on the battlefield, I usually use this to clear.:) save trouble

Or find some old logs to overwrite it:)

=

4. Of course, the best thing is to use the log removal tool.

Type a few commands and ask the program to erase it for you:)

a. Common log cleanup tools.

Available in general rootkit packages: Z2.c and wted.c

It's easy to find.

Many online tutorials introduce the use of these two tools.

I won't talk about it here.:) Save time.

b. Here I provide a log cleanup script that I used to use for a while.

Cleaner.sh in HUCkit.zip

This is how we use it.

# chmod 755 cleaner.sh

#. / cleaner.sh

Log cleaner v0.5b By: Tragedy/Dor *

* Usage: cleaner.sh

#. / cleaner.sh username

Where username is the user account for which you want to clear the log.

:)

For example:

#. / cleaner.sh gao

Log cleaner v0.5b By: Tragedy/Dor OS

Detection....

Detected SunOS

-clog.sh

To easily copy to the mainframe. Do not use ftp to get.:)

There is also a command to clear most of the logs.

That's why I often use it.

But it was so clean that the previous records were deleted.

Sometimes it is not very clean. For example, lastlog.utmp may not be removed sometimes.

Therefore, now I usually combine two tools to clear the log.

Good ones are usually introduced later.:)

Here is another log cleaner that I think is better.:)

Wipe-1.00.tgz in HUCkit.zip.

He can clean it up.

Lastlog

Utmp

Utmpx

Wtmp

Wtmpx

:)

Let's take a look. (demonstration working platform sunos 5.7)

# gzip-d wipe-1.00.tgz

# tar-xf wipe-1.00.tar

# cd wipe-1.00

# ls-al

Total 32

Drwxr-xr-x 2 root root 512 February 4 20:48.

Drwxrwxrwx 6 root other 1024 February 4 18:40..

-rw-r--r-- 1 root root 130 January 1997 9 INSTALL

-rw-r--r-- 1 root staff 1389 January 1997 9 Makefile

-rw-r--r-- 1 root root 498 January 1997 9 README

-rw-r--r-- 1 root staff 10027 January 1997 9 wipe.c

# make

Wipe v0.01!

Usage: 'make' where sys tem types are:

Linux freebsd sunos4 solaris2 ultrix

Aix irix digital bsdi netbsd hpux

#

We can see that it needs to show the options of the system. These options are:

Linux freebsd sunos4 solaris2 ultrix

Aix irix digital bsdi netbsd hpux

To clear the relevant system logs, we must compile on the same system.

For example, if we want to compile under linux such as redhat, it should be: make linux

When compiled under freebsd, it should be: make freebsd

When compiled under sunos4, it should be: make sunos4

When compiled in a system above sunos 5, it should be: make solaris2

Here we use make solaris2.

Sunos 5 or above is called solaris.

# make solaris2

Gcc-O3-DHAVE_LASTLOG_H-DHAVE_UTMPX-o wipe wipe.c

# ls-al

Total 94

Drwxr-xr-x 2 root root 512 February 4 21:03.

Drwxrwxrwx 6 root other 1024 February 4 18:40..

-rw-r--r-- 1 root root 130 January 1997 9 INSTALL

-rw-r--r-- 1 root staff 1389 January 1997 9 Makefile

-rw-r--r-- 1 root root 498 January 1997 9 README

-rwxr-xr-x 1 root other 30920 February 4 21:03 wipe

-rw-r--r-- 1 root staff 10027 January 1997 9 wipe.c

#. / wipe

USAGE: wipe [uwla]... options...

UTMP editing: Erase all usernames: wipe u [username]

Erase one username on tty: wipe u [username] [tty]

WTMP editing: Erase last entry for user: wipe w [username]

Erase last entry on tty: wipe w [username] [tty] LASTLOG

Editing: Blank lastlog for user: wipe l [username] Alter lastlog

Entry: wipe l [username] [tty] [time] [host]

Where [time] is in the format [YYMMddhhmm]

ACCT editing: Erase acct entries on tty: wipe a [username] [tty]

You can see how to use the compiled wipe.

Where u option is utmp utmpx log erase..

The w option is wtmp wtmpx log erasure.

The l option is lastlog log erasure.

An is / var/adm/pacct log erase. (this is not usually used.:)

Where [tty] is the terminal number. To clear the log usage option when multiple identical accounts are logged in at the same time. Your terminal number, of course.

You can check the terminal number with the w command.

For example:

# w

9:15 1 user, average load: 0.00,0.00,0.01

User name terminal number login time idle JCPU PCPU execute command

Gao pts/1 7:40 3 w

The following is my specific use of sunos 5.7.:)

# w

9:15 1 user, average load: 0.00,0.00,0.01

User name terminal number login time idle JCPU PCPU execute command

Gao pts/1 7:40 3 w

#. / wipe u gao

Patching / var/adm/utmp.... Done.

Patching / var/adm/utmpx.... Done.

# w

9:15 1 user, average load: 0.00,0.00,0.01

User name terminal number login time idle JCPU PCPU execute command

#. / wipe w gao

Patching / var/adm/wtmp.... Done.

Patching / var/adm/wtmpx.... Done.

#. / wipe l gao

Patching / var/adm/lastlog.... Done.

Okay。

The lastlog utmp utmpx wtmp wtmpx is finished.

Have you seen wipe u gao?

Why did I give a w command?

He he

Think about it.

So we usually run wipe u gao after logging in to the system. To hide yourself.:)

Of course, let's not forget the shell record.

# ls-al /. * history

-rw- 1 root other 456 February 4 20:27 .sh _ history

# rm-f. * history

# cd

# pwd

/ home/gao

# ls-al /. * history

-rw- 1 root other 456 February 4 20:27 .sh _ history

# rm-f. * history

Ok, a script plus a program. Add an operation to ensure your basic security.:)

Of course, if you have a better understanding of the system, you can find it. There is still a problem with the removal.:)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.