Dashboard Articles Playground Discussions More
Follow

About security logs

Lalla
11 years ago

0

Hey !

Implying you have penetrated a server/PC using an Unix-like system, what would you erase as log ? I know that we have to clean the computer after having our job done, but what log do we have to modify ? Where are these informations stored ?

Now, implying I want to protect my computer (and my logs by the way), what could I do ? If I create a script that copy these logs into an arbitrary /home/user/.hidden/..morehidden/*, would it be worth ?

Let’s have more literature !

10replies
5voices
234views
Pete Maynard [Osaka]
11 years ago

0

For example, syslog, allows you to duplicate your logs on an external server.

You’d use permissions to lock down your log files so that only certain users/applications would be able to edit them.

If you are worried about knowing if someone has gained access to your system and has modified files/replacing software binaries, then you’ll need to install something like tripwire. Which will alert you to any changes in binaries/files.

 

Folding@Home Stats | Official Thread | Team Number: 223679

Lalla
11 years ago

0

The problem is not about a real case or using some tools. I was thinking about the theory. What are the informations stored and where they are ? This is the idea. And use permissions is pretty useless when the attacker successfully rooted.

But I take note about tripwire. ;)

oxide
11 years ago

0

lalla come to irc we can also explain there if not just google wiping linux system logs there are alot and sometimes cron jobs are used to backup a backup

 

i bake therefore im fried!!

Image

Pete Maynard [Osaka]
11 years ago

0

Logs are normally stored in /var/log on *Unix machines.
Inside the /var/log, will be a directory with the applications name, or a log file for whatever service.

Depending on the application, different data will be stored there. Normally the date and time of an event, what the event was and who triggered it (IP/User/TTY).

If you were compromising a machine, you would make a note of which services you exploited, then modify, not wipe, their respective logs. For example if you exploited a vulnerability from a website, you would remove your presence from the logs of the web server, PHP and SQL etc etc.

Like oxide says, there is a lot of information on the net regarding logs and which are important.

 

Folding@Home Stats | Official Thread | Team Number: 223679

oxide
11 years ago

0

you nkow what osaka i dont usuallu do it that way but now that you mention it it is more of a chance of an attack to be detected if all logs are whiped but how the hell do you find your ip in the logs do a grep?

 

i bake therefore im fried!!

Image

daMage
11 years ago

0

There are tools to help you analyze logs and to even monitor for “suspicious” activity (and when such activity is noticed, the offender can be blocked, admin can be alerted or both).

Even open source community has such tools, like fail2ban, snort, logstash etc…

 
  • daMage
Lalla
11 years ago

0

So, I guess there is no log that store connections at a lower level and regardless to the application. We only need to modify these applications' logs ?

daMage
11 years ago

0

Usually firewalls and routers keep such logs…

 
  • daMage
oxide
11 years ago

0

yes that is true you want to wipe out the system logs but its useless if the firewall and router have your ip in them:)

 

i bake therefore im fried!!

Image

Gninja
11 years ago | edited 11 years ago

0

Have a read if its proxies your thinking of:

LINK…

 
![Image](/files/media/images/articles/0/0/up_bac59c3405ec8a1a28d6347c0b6ed62c.jpg)
You must be logged in to reply to this discussion. Login
1 of 11

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss