Covering Tracks in UNIX

>Renaming the files to dot or double dots

• It means attackers can hide a files by adding . / .. at the start Example: malware.jpg to . or ..
• There is a space after .

4.0K drwxrwxr-x 2 user user 4.0K May 26 12:11  .
4.0K -rw-rw-r-- 1 user user   12 May 26 12:11 '. '
4.0K drwxrwxr-x 4 user user 4.0K May 26 12:07  ..
4.0K -rw-rw-r-- 1 user user   13 May 26 12:11 '.. '

>Putting the files in certain directories

• We can put these files in certain directories where they won't be noticed such as: /dev, /tmp, /etc, /usr/loca/man, /usr/src etc

>Log Editing

• Log Editing is a very handy skill for an attacker to cover his tracks, because clearing out all the logs arouses a sysadmin's suspicion
• In UNIX, the syslog process stores the logs for the machine and its configuration can be foudn at /etc/syslog.conf. By looking at it, we can find out where the system is configured to store the log files.
• Log files of particular interest are /var/log/secure and /var/log/messages and logs of the certain services we exploited to get into the network
• The log files (usually in /var/log) are written in ASCII and often edited by using a text editor of a PERL script

There are certain files in our UNIX system which can't be edited by a normal text editor and we'll end up corrupting them if we do so, we require special tools for them because there are certain binary data structures built into those log files.

They are /var/run/utmp, /var/log/wtmp, /var/log/btmp, /var/log/lastlog

Files

>Shell history

• Written in ASCII, and can be edited with an editor with root or user privileges
• The history file is different and shell dependent, such as ~/.zsh_history, ~/.bash_history etc.
• Shell history is written when the shell is exited