Appendix I - Things to do after access

I think in this paper we have covered most of the things you can do after

access, so I will make this in the style of a checklist from a to z.

a. learn who the admin's are on the system

b. watch the system with ps -auxe and ps -auxef (if it works) and pstree to

try and keep track of what others are doing

c. read all of the bash history files or any history files you can find on the

machine to learn more yourself, and to learn about the users

d. make as many backdoor's into the system as you can that you are sure will

not be found out

e. keep the access to yourself, don't give out users passwords on the machine

you get root on.

f. always clean your utmp and wtmp right away when you login

g. always clean your mess as you go along, this includes your xferlog and

messages

h. if you have root access make sure to read /etc/syslog.conf and

/etc/login.defs to see how the system is logging

i. before changing binary files look at the root cron to see what they are

running.

j. look for md5 on the system

k. look for separate ftp logs

l. make sure to clean the www logs if you ever send phf commands to the server

m. make an suid root shell and place it somewhere on the system

n. do only what you are sure of, don't do everything in this hacking manual all

at once or you are asking to get cought

o. only use nested directories, do not put files into user directories where

all they need to do is type ls to see them

p. don't add user accounts and think they will not notice you.

q. don't use pine or other mail programs to read users mail. if you want to

read mail go to the mail dir and read it from unix, new mail you will find

in /var/spool/mail read it there.

r. don't change the system so that other programs they have running will not

work any more, they will be on you like fly's on shit

s. don't delete files on the system unless you put them there

t. do not modify their web pages, like i was here ... you are not a hacker you

are a little kid wanting attention

u. do not change any passwords on the system (unless you are doing it for

access and have backed up the passwd file and replace it right after you

login

v. do not use any root account machines for irc access, or to load a bot on

w. if your root account changes or you create files that are owned by the

wrong group, be sure to chown the files

x. do not use .rhosts if there is already one there that is being used

y. never telnet or ftp to your account from the hacked box

z. don't fuck up their machine! only do what you know how to do.

WB01345_.gif (616 bytes)Next Page