Chapter V - Making yourself invisible

The whole point of this hacking stuff is that you continue to have access to as

many points of information as possible. If you do stupid things, of fail just

once to clean your utmp or wtmp, xferlog's, etc ... you can loose access to the

system. Make yourself a regular order to follow and learn each system well!

Become part of the system, and take many notes if you are doing many systems

at once. But remember make yourself a routine. Have your set routine of

taking your time to clean any presence of your login, transfers, etc. Do NOT fail

in this one thing or you will loose access and possibly face some sort of

charges.

Section 5A - Zap2 (for wtmp/lastlog/utmp)

There are different log cleaning programs out there, but the best of these

is zap2. I compile mine to be named z2.

z2 will be run right after you get root access. This will want to be one of

the fastest things you run. (you never know)

You might want to do a finger @host.xxx to see who is on now, look at the idle

time of root or admin accounts to see if they are away doing something.

Login, and as soon as you get on, type w, to see idle time and who is on, but

at the same time you are looking at that be typing your root access command

that you should have waiting somewhere nested in the system. As soon as you

get your root access, type ./z2 username-u-logged-in-as

Now you are safer then you were. Do a w or who command to see that you are

gone from the utmp. If you ftp, or do other things you might have to use

other programs I will include in the next section called wted and lled.

Lets finish with this z2 first. You will have to see where each file is in

the system and edit z2.c to include the right location of these files

Here is the area you will look for right at the top of the file:

#define WTMP_NAME "/usr/adm/wtmp"

#define UTMP_NAME "/etc/utmp"

#define LASTLOG_NAME "/usr/adm/lastlog"

Most of the systems I login to are:

#define WTMP_NAME "/var/adm/wtmp"

#define UTMP_NAME "/var/adm/utmp"

#define LASTLOG_NAME "/var/adm/lastlog"

 

But you do your own look around to see were the files are. Also /var/log:

is a regular location.

Add the log locations for each system, compile the file, and you are all ready

to be invisible right after the login using z2

Here is the .c file

z2.c

Section 5B - Other scripts

Now we come to the other part of this. Lets say that after you login, and do

your z2, you need to ftp in to grab a file. (remember NEVER ftp or telnet out)

Ok, you ftp in and grab a few files, or login to another account on the system,

now you will need to use wted. wted will let you edit the wtmp to remove your

login from the ftp. You also might need to use the lled (lastlog edit).

Here is the menu if you type ./wted, after setting log locations & compile:

[8:25pm][/home/compile]wted

Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST

-h This help

-f Use FILE instead of default

-a Show all entries found

-u Show all entries for USER

-b Show NULL entries

-e Erase USER completely

-c Erase all connections containing HOST

-z Show ZAP'd entries

-x Attempt to remove ZAP'd entries completely

So if i ftp to username tsmith I would type wted -x -e tsmith

The program will now prompt you one login at a time for the user tsmith asking

if you want to delete it. After you delete your login, make sure to

chmod 644 the wtmp.tmp file and then copy it over the top of the wtmp file in

the log directory. Like this:

1. chmod 644 wtmp.tmp

2. cp wtmp.tmp /var/adm/wtmp

Here is your wted program:

MAKE SURE TO HAVE THE RIGHT PATH TO THE char file below

So make sure you have the right path to the wtmp file.

wted.c

You might also have to clean stuff out of the file /vat/adm/lastlog

For this use the lled.c. Compile the program and name it lled.

Here is a menu from the program when you type ./lled

[4:04am][/home/paris/compile]lled

Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST

-h This help

-f Use FILE instead of default

-a Show all entries found

-u Show all entries for USER

-b Show NULL entries

-e Erase USER completely

-c Erase all connections containing HOST

-z Show ZAP'd entries

-x Attempt to remove ZAP'd entries completely

It would be good to try to view first using -u, but many times it will not

show your username in the lastlog, but it will still have your host, so I

have found that if you know what to look for you can just type something like:

If my host name that I was coming from was machine.edit.com, I could type

lled -e username -c machine.edit

If you need to view the lastlog your host entry should be at the end of the

file, just type: lled -a

chmod the file lastlog.tmp 644 and copy the file over the top of the lastlog

file in the log directory just like you did above for the wted.

BE SURE TO SET THE PATH FOR YOUR lastlog below!

Ok here is your lled.c

A good perl script for editing utmp, wtmp, and checking processes.

It will also let you insert lines in wtmp. So if you need to play you

can add clinton.whitehouse.gov logging into port ttyp3 and show he stayed

on the system for a few hours!

Running 'check' will let you know if someone is on the system and not showing

up in the utmp log. Admins like to hide the fact that they are online

sometimes. This will allow you to see their connection. You must be root to

run the script, and they need perl 5.003+ on thier system. After starting

the script just type help.

Here are some of the basic commands:

starts by loading wtmp

delete user username

delete host hostanme

write

read wtmp

delete user username

delete host hostname

write

do help for the rest ... the best wtmp,wtmp editor around!

Say thankyou i-e ;)

utmpman.pl

WB01345_.gif (616 bytes)Next Page