Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use the Shell script to cover up the traces of operation on the Linux server, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

Operation steps

Step 1: view and manipulate timestamps

Most Linux systems contain tools that allow us to quickly view and modify timestamps, the most influential of which is "Touch", which allows us to create new files and update files / filegroups when they were last "touched".

Touch file

If the file does not exist, running the above command will create a new file called "file"; if it already exists, the command will update the modification date to the current system time. We can also use a wildcard, such as the string below.

Touch *

This command updates the timestamp of each file in the folder in which it runs. After creating and modifying a file, there are several ways to view its details, the first of which is the "stat" command.

Stat file

Running stat returns some information about the file, including access, modification, or update timestamps. For a batch of files, you can use the ls parameter to view the timestamps of each file, and use "- l" or "long", which lists the file details, including the output timestamp.

Ls-l

You can now set the current timestamp and view the timestamp that has been set, or you can use touch to define a custom timestamp. You can use the "d" flag to define the date in yyyy-mm-dd format, followed by the hours, minutes, and seconds of the time, as follows:

Touch-d "2001-01-01 20:00:00" file

Confirm the modification information through the ls command:

Ls-l file

This method is suitable for modifying individual timestamps, but it doesn't work well for hiding traces of operations on the server, and you can use shell scripts to automate the process.

Step 2: organize Shell scripts

Before you start writing a script, you need to think about what processes need to be performed. In order to hide the trace on the server, the attacker needs to write the original timestamp of the folder to a file and be able to return to the original file after any changes have been made.

These two different functions will be triggered according to the user's input or parameters, the script will perform the corresponding functions according to these parameters, and we need a way to handle errors. Three possible actions will be performed based on the user's input:

No parameters-an error message is returned

Save timestamp tag-Save timestamp to file

Recovery timestamp-the timestamp of the file is recovered based on the save list.

You can use nested statements if/or statements to create scripts, or you can assign each function to your own "if" statement based on conditions, and you can choose to start writing scripts in a text editor or nano.

Step 3: start the script

Start nano from the command line and create a script called "timestamps.sh" with the following command:

Nano timestamps.sh

Then make the following command:

#! / bin/bash if [$#-eq 0]; then echo "Use asave (- s) or restore (- r) parameter." Exit 1 fi

Press Ctrl + O in nano to save the file and mark it as a runnable script with the chmod command.

Chmod + x timestamps.sh

Then run the script to test the ability to return an error message when there are no parameters. If the script returns our echo statement, we can move on to the next condition.

. / timestamps.sh

Step 4: write the timestamp to the file

Define the conditions for the if statement, and "- s" means to perform the save function:

If [$1 = "- s"]; then fi

Of course, you need to check whether the timestamp file you plan to save exists, and if so, we can delete it (a file named timestamps) to avoid duplicate or incorrect input, using the following command:

Rm-f timestamps

Then use the "ls" command to list all files and their modification times, which can be output to another program, such as sed, to help us clean up this input later.

Ls-l

The following display results usually appear:

-rw-r--r-- 1 user user 0 Jan 1 2017 file

To save the timestamp, we only need the year, month, day, and file name. The following command clears the information before "Jan":

Ls-l file | sed's / ^. * Jan/Jan/p'

What is displayed in this way is the information our program needs, but we just need to change the month format to a numerical format:

Ls-l file | sed's / ^. * Jan/01/p'

Replace all months with numbers:

Ls-l | sed-n's / ^. * Jan/01/p;s/ ^. * Feb/02/p;s/ ^. * Mar/03/p;s/ ^. * Apr/04/p;s/ ^. * May/05/p;s/ ^. * Jun/06/p;s/ ^. * Jul/07/p;s/ ^. * Aug/08/p;s/ ^. * Oct/10/p;s/ ^. * Nov/11/p S / ^. * Dec/12/p;'

Running in a folder, we will see the results shown in the following figure:

Then send the output to a file named "timestamps" via "> >":

Do echo $x | ls-l | sed-n's / ^. * Jan/01/p;s/ ^. * Feb/02/p;s/ ^. * Mar/03/p;s/ ^. * Apr/04/p;s/ ^. * May/05/p;s/ ^. * Jun/06/p;s/ ^. * Jul/07/p;s/ ^. * Aug/08/p;s/ ^. * Sep/09/p;s/ ^. * Oct/10/p S / ^. * Nov/11/p;s/ ^. * Dec/12/p;' > > timestamps

At this point, the first two operations of the script are completed, and the result is shown below:

You can mark the test script with "- s" and check the saved information with cat:

. / timestamps.sh-s cat timestamps

Step 5: recover the timestamp of the file

After saving the original timestamp, you need to restore the timestamp so that others are not aware that the file has been modified, you can use the following command:

If $1 = "- r"; then fi

Then use the following command to forward the contents of the text file and run it one by one:

Cat timestamps | while read line do done

Then assign some variables to make it easier to use the file data:

MONTH=$ (echo $line | cut-F1-d\); DAY=$ (echo $line | cut-f2-d\); FILENAME=$ (echo $line | cut-f4-d\); YEAR=$ (echo $line | cut-f3-d\)

Although these four variables are consistent in the saved timestamp file, if the timestamp occurred in the past year, it only shows the time, not the year. If we need to determine the current year, we can assign it as the year in which the script is written, or we can return the year from the system, and use the cal command to view the calendar.

Then retrieve the first line to display only the desired year information:

CURRENTYEAR=$ (cal | head-1 | cut-f6-- d\ | sed's / g')

After defining all the variables, you can use the "if else" statement to update the timestamp of the file based on the formatted date, using the touch syntax:

Touch-d "2001-01-01 20:00:00" file

Because each time contains a colon, you can use the following "ifelse" statement to complete the operation, as shown in the following figure:

If [$YEAR = = *: *]; then touch-d $CURRENTYEAR-$MONTH-$DAY\ $YEAR:00$ FILENAME; else touch-d "$YEAR-$MONTH-$DAY"$FILENAME; fi

Step 6: use a script

The main commands used are as follows:

. / timestamps.sh-s save file timestamp touch-d "2050-10-12 10:00:00" * modify all files in the directory timestamp ls-a confirm the modified file. / timestamps.sh-r restore the original file timestamp

Finally, you can run "ls-a" again to see if the timestamp of the file matches the timestamp of the previous backup, and the entire script is executed, as shown in the following figure:

Thank you for reading this article carefully. I hope the article "how to use Shell script to cover up the traces of operation on the Linux server" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.