Hacker Magic: using shell script to cover up the operation trace on Linux server

Time:2020-2-13

Using shell script to control, destroy or get anything on Linux server, hackers may gain great value through some ingenious attack methods, but most attacks also leave traces. Of course, these traces can also be hidden by shell scripts and other methods.

Looking for evidence of an attack starts with the traces left by the attacker, such as the date the file was modified. Every file in every Linux file system holds the modification date. When system administrators find out the latest modification time of files, they will prompt them that their system is under attack and take actions to lock the system. Fortunately, the modification time is not an absolutely reliable record. The modification time itself can be cheated or modified. By writing shell scripts, attackers can automate the process of backup and recovery of modification time.

Step 1: view and manipulate timestamps

Most Linux systems include tools that allow us to quickly view and modify timestamps, the most influential of which is touch, which allows us to create new files, update the time when files / filegroups were last touched.

touch file

If the file does not exist, running the above command will create a new file named “file”; if it already exists, the command will update the modification date to the current system time. We can also use a wildcard, such as the following string.

touch *

This command will update the timestamp for each file in the folder it runs. After creating and modifying the file, there are several ways to view its details, the first one being the “stat” command.

stat file

Hacker Magic: using shell script to cover up the operation trace on Linux server

Running stat returns information about the file, including access, modification, or update timestamps. For a batch of files, you can use the LS parameter to view the time stamp of each file. Use “- L” or “long” to list the file details, including the output time stamp.

ls –l

Hacker Magic: using shell script to cover up the operation trace on Linux server

Now you can set the current time stamp and view the set time stamp. You can also use touch to define a custom time stamp. You can use the “d” flag and yyyy MM DD format to define the date, followed by setting the hour, minute and second of the time, as follows:

touch -d"2001-01-01 20:00:00" file

Confirm the modification information through LS command:

ls -l file

Hacker Magic: using shell script to cover up the operation trace on Linux server

This method is suitable for modifying individual timestamps. It is not effective for hiding operation traces on the server. You can use shell scripts to automate the process.

Step 2: organize shell scripts

Before you start writing scripts, you need to think about what processes you need to perform. In order to hide traces on the server, the attacker needs to write the original timestamp of the folder to a file, and be able to return to the original file after we make any modification settings.

These two different functions will be triggered according to the user’s input or parameters. The script will perform the corresponding functions according to these parameters. At the same time, we need a method to handle the errors. There are three possible operations based on user input:

No parameters - return error message;

Save timestamps - save timestamps to a file;

Recovery timestamp mark -- the timestamp of the recovery file based on the save list.

We can use nested statement if / or statement to create script, or assign each function to its own “if” statement according to conditions, and choose to start writing script in text editor or nano.

Step 3: start script

Start nano from the command line and create a script named “timestamps. Sh”. The command is as follows:

nano timestamps.sh

Then make the following command:

#!/bin/bash
if [$# -eq 0];then
echo “Use asave (-s) or restore (-r) parameter.”
exit 1
fi

Hacker Magic: using shell script to cover up the operation trace on Linux server

Press Ctrl + O in the nano to save the file and mark it as a runnable script with the Chmod command.

chmod +x timestamps.sh

Then run the script to test the function of returning error information when there is no parameter. If the script returns our echo statement, we can proceed to the next condition.

./timestamps.sh

Hacker Magic: using shell script to cover up the operation trace on Linux server

Step 4: write the time stamp to the file

Define the condition of the if statement, “- s” means to perform the save function:

if [$1 ="-s"] ; then
fi

Of course, you need to check whether the timestamp file you plan to save exists. If it exists, we can delete it (the file named timestamps) to avoid repeated or incorrect input. Use the following command:

rm -f timestamps;

Then use the “LS” command to list all the files and their modification times, which can be output to another program, such as sed, to help us clean up the input later.

ls –l

Generally, the following display results will appear:

-rw-r--r-- 1 user user 0 Jan 1 2017 file

To save the time stamp, we only need the year, month, day and file name. The following command can clear the information before “Jan”:

ls -l file | sed 's/^.*Jan/Jan/p'

This display is the information needed by our program, only to modify the month format to the number format:

ls -l file | sed 's/^.*Jan/01/p'

Replace all months with numbers:

ls -l | sed -n 's/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^.*Apr/04/p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p;s/^.*Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;'

Running in a folder, we will see the following results:

Hacker Magic: using shell script to cover up the operation trace on Linux server

Then send the output result to the file named timestamps through “>”:

do echo $x | ls -l | sed -n 's/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^.*Apr/04/p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p;s/^.*Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;' >> timestamps

At this point, the first two operations of the script are completed, and the display results are as follows:

Hacker Magic: using shell script to cover up the operation trace on Linux server

The test script can be marked with “- s” below, and the saved information can be checked with cat:

./timestamps.sh –s
cat timestamps

Hacker Magic: using shell script to cover up the operation trace on Linux server

Step 5: restore the time stamp of the file

After the original time stamp is saved, you need to restore the time stamp to make others not aware that the file has been modified. You can use the following command:

if $1 = "-r" ; thenfi

Then use the following command to forward the content of the text file and run it line by line:

cat timestamps |while read linedodone

Then some variables are allocated to make the use of file data easier:

MONTH=$(echo $line | cut -f1 -d );
DAY=$(echo $line| cut -f2 -d );
FILENAME=$(echo $line | cut -f4 -d );
YEAR=$(echo $line | cut -f3 -d )

Although the four variables are consistent in the saved timestamp file, if the timestamp occurred in the past year, it will only show the time, not the year. If we need to determine the current year, we can assign it as the year of writing script, or return the year from the system, and use cal command to view the calendar.

Hacker Magic: using shell script to cover up the operation trace on Linux server

Then retrieve the first line so that only the desired year information is displayed:

CURRENTYEAR=$(cal | head -1 | cut -f6- -d | sed 's/ //g')

Hacker Magic: using shell script to cover up the operation trace on Linux server

After defining all variables, you can use the “if else” statement to update the time stamp of the file according to the formatted date, using the touch syntax:

touch -d "2001-01-01 20:00:00" file

Since each time contains a colon, you can use the following “if else” statement to complete the operation, as shown in the following figure:

if [ $YEAR == *:* ]; then
touch -d $CURRENTYEAR-$MONTH-$DAY $YEAR:00 $FILENAME;
else
touch -d ""$YEAR-$MONTH-$DAY"" $FILENAME;
fi

Hacker Magic: using shell script to cover up the operation trace on Linux server

Step 6: use script

The commands used are as follows:

. / timestamps.sh – s save file timestamps
Touch - D "2050-10-12 10:00:00" * modify all file timestamps in the directory
Ls – a confirm modified file
. / timestamps.sh – r recover file original timestamps

Finally, run “ls-a” again to check whether the time stamp of the file is consistent with that of the previous backup. The whole script is executed, as shown in the following figure:

Hacker Magic: using shell script to cover up the operation trace on Linux server

summary

This script is only used to clear some traces left after attacking the server. In order to hide traces, hackers must carefully consider every method used and how to hide their traces after invading the server when they carry out specific attacks against the server.

From the above introduction, we know that timestamps are also “liars”, so system administrators must realize that many of their logs and protection measures can be manipulated, although it seems that there is no exception.

From freebuf.com by jinglecats
Link: www.freebuf.com/articles/system/155579.html


Recommended reading

1. Summary of advantages and disadvantages of SQL server, MySQL and Oracle databases
2. Thoroughly understand various terminal types and concepts of Linux
3. Multiple uses of the ‘$’ symbol in shell scripts
4. Understanding the function of various brackets in shell
5. What are some tips for writing reliable shell scripts?
6. Shell programming | script parameters and interaction and common problems
7. How to understand “2 > & 1” in Linux shell?
8. Read and understand the access control of httpd service
9. Detailed explanation of httpd service deployment in Linux Environment
10, today, the official account number 1st anniversary!


Welcome to the official account:It tour of jergo

Hacker Magic: using shell script to cover up the operation trace on Linux server