Results 1 to 8 of 8

Thread: Log eraser python script

  1. #1
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    2

    Lightbulb Log eraser python script

    Hello Everyone ..
    I am working over a log eraser python script.
    Which will help erasing the specific entries in logs after the exploitation is done.
    I am primary focusing on Linux targets now... Once it is done i will add windows works in that. Or may be will write a whole new script for windows.

    So I am here to ask you what features do you expect in a log eraser program ?
    What logs are most important ?

    I am sure if more brains work on it .... It will result in good script.
    So come up with your expectations and ideas so that i can serve in best possible way.

    Regards ;
    Godwin Austin

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Good idea for a script.

    How about just grabbing a VMWare and installing say Ubuntu on it. Write your script for logs you find in there.
    Then take another distro like Fedora and see if the script works on there too. If not go and check how to make it working dynamically Afterwards go for a 3rd distro and try it on there.
    Make it so that applications can be specified like clean ssh,ftp,www or alike and it will check in the common places or even try to find the log setting in the conf files of the app.
    Tiocfaidh ár lá

  3. #3
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Default

    After clearing all the events there would be last entry regarding who cleared those previous logs when you will left the machine after exploitation(Forensic analyzers & Incident response team looks for it)instead of clearing events I would say,corrupt the event system so no one would be ever able to recover the logs/alerts.

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Quote Originally Posted by secure_it View Post
    instead of clearing events I would say,corrupt the event system so no one would be ever able to recover the logs/alerts.
    If someone is looking to stay long, won't this act raise eyebrows if they might be exporting logs to monitoring devices?

    Any other alternative then?

  5. #5
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Default

    After leaving footprinting of last deleted events.that too is not good & after 0wning the machines we can change the way it alerts to monitor systems like SNMP traps by seeking community strings or sending alerts to syslog.that already covers in gaining & maintaining access.the covering track will cover how to erase logs/alerts/events of failure events(Some configure like this to monitor only failure attempts) and yes if monitoring systems are perfact and are well configured they will come to know about intrusion activity at first attempt only.simple example is IPS working at parimeter to detect intrusion attempt & will block the connection at initial stage only.

  6. #6
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Quote Originally Posted by secure_it View Post
    After clearing all the events there would be last entry regarding who cleared those previous logs when you will left the machine after exploitation
    How would we check this entry?

  7. #7
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by secure_it View Post
    After clearing all the events there would be last entry regarding who cleared those previous logs when you will left the machine after exploitation(Forensic analyzers & Incident response team looks for it)instead of clearing events I would say,corrupt the event system so no one would be ever able to recover the logs/alerts.
    isnt the objective to leave without a trace, and not leave a broken system?

    as for a feature i would expect from a script.... verbose information about what is being done would be helpful.

  8. #8
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by cgkades View Post
    isnt the objective to leave without a trace, and not leave a broken system?
    Depends on what you are trying to do.
    You might want to show what can be done by actually doing it.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •