Using shell script to control, destroy or get anything on Linux server, hackers may gain great value through some ingenious attack methods, but most attacks also leave traces. Of course, these traces can also be hidden by shell scripts and other methods.
Looking for evidence of an attack starts with the traces left by the attacker, such as the date the file was modified. Every file in every Linux file system holds the modification date. When system administrators find out the latest modification time of files, they will prompt them that their system is under attack and take actions to lock the system. Fortunately, the modification time is not an absolutely reliable record. The modification time itself can be cheated or modified. By writing shell scripts, attackers can automate the process of backup and recovery of modification time.
Step 1: view and manipulate timestamps
Most Linux systems include tools that allow us to quickly view and modify timestamps, the most influential of which is touch, which allows us to create new files, update the time when files / filegroups were last touched.
If the file does not exist, running the above command will create a new file named “file”; if it already exists, the command will update the modification date to the current system time. We can also use a wildcard, such as the following string.
This command will update the timestamp for each file in the folder it runs. After creating and modifying the file, there are several ways to view its details, the first one being the “stat” command.
Running stat returns information about the file, including access, modification, or update timestamps. For a batch of files, you can use the LS parameter to view the time stamp of each file. Use “- L” or “long” to list the file details, including the output time stamp.
Now you can set the current time stamp and view the set time stamp. You can also use touch to define a custom time stamp. You can use the “d” flag and yyyy MM DD format to define the date, followed by setting the hour, minute and second of the time, as follows:
touch -d"2001-01-01 20:00:00" file
Confirm the modification information through LS command:
ls -l file
This method is suitable for modifying individual timestamps. It is not effective for hiding operation traces on the server. You can use shell scripts to automate the process.
Step 2: organize shell scripts
Before you start writing scripts, you need to think about what processes you need to perform. In order to hide traces on the server, the attacker needs to write the original timestamp of the folder to a file, and be able to return to the original file after we make any modification settings.
These two different functions will be triggered according to the user’s input or parameters. The script will perform the corresponding functions according to these parameters. At the same time, we need a method to handle the errors. There are three possible operations based on user input:
No parameters - return error message; Save timestamps - save timestamps to a file; Recovery timestamp mark -- the timestamp of the recovery file based on the save list.
We can use nested statement if / or statement to create script, or assign each function to its own “if” statement according to conditions, and choose to start writing script in text editor or nano.
Step 3: start script
Start nano from the command line and create a script named “timestamps. Sh”. The command is as follows:
Then make the following command:
#!/bin/bash if [$# -eq 0];then echo “Use asave (-s) or restore (-r) parameter.” exit 1 fi
Press Ctrl + O in the nano to save the file and mark it as a runnable script with the Chmod command.
chmod +x timestamps.sh
Then run the script to test the function of returning error information when there is no parameter. If the script returns our echo statement, we can proceed to the next condition.
Step 4: write the time stamp to the file
Define the condition of the if statement, “- s” means to perform the save function:
if [$1 ="-s"] ; then fi
Of course, you need to check whether the timestamp file you plan to save exists. If it exists, we can delete it (the file named timestamps) to avoid repeated or incorrect input. Use the following command:
rm -f timestamps;
Then use the “LS” command to list all the files and their modification times, which can be output to another program, such as sed, to help us clean up the input later.
Generally, the following display results will appear:
-rw-r--r-- 1 user user 0 Jan 1 2017 file
To save the time stamp, we only need the year, month, day and file name. The following command can clear the information before “Jan”:
ls -l file | sed 's/^.*Jan/Jan/p'
This display is the information needed by our program, only to modify the month format to the number format:
ls -l file | sed 's/^.*Jan/01/p'
Replace all months with numbers:
ls -l | sed -n 's/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^.*Apr/04/p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p;s/^.*Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;'
Running in a folder, we will see the following results:
Then send the output result to the file named timestamps through “>”:
do echo $x | ls -l | sed -n 's/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^.*Apr/04/p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p;s/^.*Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;' >> timestamps
At this point, the first two operations of the script are completed, and the display results are as follows:
The test script can be marked with “- s” below, and the saved information can be checked with cat:
./timestamps.sh –s cat timestamps
Step 5: restore the time stamp of the file
After the original time stamp is saved, you need to restore the time stamp to make others not aware that the file has been modified. You can use the following command:
if $1 = "-r" ; thenfi
Then use the following command to forward the content of the text file and run it line by line:
cat timestamps |while read linedodone
Then some variables are allocated to make the use of file data easier:
MONTH=$(echo $line | cut -f1 -d ); DAY=$(echo $line| cut -f2 -d ); FILENAME=$(echo $line | cut -f4 -d ); YEAR=$(echo $line | cut -f3 -d )
Although the four variables are consistent in the saved timestamp file, if the timestamp occurred in the past year, it will only show the time, not the year. If we need to determine the current year, we can assign it as the year of writing script, or return the year from the system, and use cal command to view the calendar.
Then retrieve the first line so that only the desired year information is displayed:
CURRENTYEAR=$(cal | head -1 | cut -f6- -d | sed 's/ //g')
After defining all variables, you can use the “if else” statement to update the time stamp of the file according to the formatted date, using the touch syntax:
touch -d "2001-01-01 20:00:00" file
Since each time contains a colon, you can use the following “if else” statement to complete the operation, as shown in the following figure:
if [ $YEAR == *:* ]; then touch -d $CURRENTYEAR-$MONTH-$DAY $YEAR:00 $FILENAME; else touch -d ""$YEAR-$MONTH-$DAY"" $FILENAME; fi
Step 6: use script
The commands used are as follows:
. / timestamps.sh – s save file timestamps Touch - D "2050-10-12 10:00:00" * modify all file timestamps in the directory Ls – a confirm modified file . / timestamps.sh – r recover file original timestamps
Finally, run “ls-a” again to check whether the time stamp of the file is consistent with that of the previous backup. The whole script is executed, as shown in the following figure:
This script is only used to clear some traces left after attacking the server. In order to hide traces, hackers must carefully consider every method used and how to hide their traces after invading the server when they carry out specific attacks against the server.
From the above introduction, we know that timestamps are also “liars”, so system administrators must realize that many of their logs and protection measures can be manipulated, although it seems that there is no exception.
From freebuf.com by jinglecats
1. Summary of advantages and disadvantages of SQL server, MySQL and Oracle databases
2. Thoroughly understand various terminal types and concepts of Linux
3. Multiple uses of the ‘$’ symbol in shell scripts
4. Understanding the function of various brackets in shell
5. What are some tips for writing reliable shell scripts?
6. Shell programming | script parameters and interaction and common problems
7. How to understand “2 > & 1” in Linux shell?
8. Read and understand the access control of httpd service
9. Detailed explanation of httpd service deployment in Linux Environment
10, today, the official account number 1st anniversary!
Welcome to the official account:It tour of jergo