6.2.3. Trace cleaning

6.2.3.1. History Commands

• unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null;

• kill -9 $$ kill history

• history -c

• HISTSIZE=0 set in HISTSIZE=0

6.2.3.2. Clear/modify log files

• /var/log/btmp

• /var/log/lastlog

• /var/log/wtmp

• /var/log/utmp

• /var/log/secure

• /var/log/message

6.2.3.3. Login traces

• delete record ~/.ssh/known_hosts

• Modified file timestamp

  • touch –r

• delete temporary files from tmp directory

6.2.3.4. Operation traces

• vim does not record history commands :set history=0

• ssh login trace

  • Incognito login ssh -T user@host /bin/bash -i

6.2.3.5. Overwriting files

• shred

• dd

• wipe

6.2.3.6. Difficulties

• Attacks and intrusions are difficult to completely remove traces, and lack of logging is also a feature

• Even if local logs are deleted, there are still records in network devices, security devices, centralized log systems

• Remaining backdoors contain attacker information

• The proxy or springboard used may be reverse hacked

6.2.3.7. Notice

• Check if a user is online before operation

• Delete files using the disk overwrite function to delete

• Try to keep the same state as before the attack

6.2.3.8. Reference Links

• Linux Intrusion Trace Cleaning Tips