3 weeks ago
18 Views

How Hackers Cover Their Tracks on an Exploited Linux Server with Shell Scripting « Null Byte :: WonderHowTo

An attacker with shell access to a Linux server can manipulate, or perhaps even ruin, anything they have access to. While many more subtle attacks could provide significant value to a hacker, most attacks also leave traces. These traces, of course, can also be manipulated as well as avoided through methods such as shell scripting.

Finding evidence of an attack can start that has a trace left behind by an attacker like a file modification date. Every time a file will be created, modified, or in Unix terminology “touched,” This particular generally updates the modification time of a file. Every file within a Linux filesystem contains a modification date stored somewhere.

Don’t Miss: Scripting for the Aspiring Hacker, Part 1 (BASH Basics)

To a system administrator, files which suddenly display a recent modification time may notify them of an attack as well as prompt them to take action to lock down a system. Luckily for an attacker, modification times are not an infallible record. These modification times themselves can be spoofed or modified. One such way an attacker might automate the process of backing up as well as restoring modification times will be to write a shell script.

Step 1: Viewing & Manipulating Timestamps

Several tools included on most Linux systems allow us to very quickly view as well as modify file timestamps. The most relevant tool for affecting This particular property will be referred to as “touch.” Touch allows us to create a completely new file, or update the last time a file or group of files were “touched.”

touch file

Running the command above will create a completely new file named “file” if This particular does not already exist, as well as if This particular does exist This particular will update the modification date with the current system time. We can also use a wildcard, like inside string below.

touch *

This particular command will update the timestamp of every file inside folder in which This particular was run.

After creating or modifying our file, there are a couple of ways we can view This particular’s details. The first will be using the “stat” command.

stat file

Running stat returns some information about the file, including Access, Modify, as well as Change timestamps. For a batch of files, we can also view the timestamps of various files within a folder with parameters of ls. The command ls lists files, as well as the -l flag, or “long” option, also includes the timestamps of these files within its output.

ls -l

today in which we can set current timestamps as well as view those which have already been set, we can also use touch to define a custom timestamp. We can do This particular by using the “d” flag as well as defining a specific time in a YYYY-MM-DD format followed by a time in hours, minutes, as well as seconds.

touch -d “2001-01-01 20:00:00” file

We can confirm This particular was set by using ls.

ls -l file

While This particular will be useful in individual use cases, This particular would likely be very ineffective to use This particular technique to manually change different modification times on a server after editing the files. We can automate This particular process that has a shell script.

Step 2: Organizing the Shell Script

Before beginning the script, we should consider exactly what processes we need This particular to carry out. For the purposes of hiding tracks on a server, an attacker would likely need to be able to back up the original timestamps of a folder by writing them to a file, as well as to be able to restore them to the original files after we have modified them by whatever configuration alterations we create during the exploitation phase.

These two different functions could be triggered by different user inputs, or arguments. As our script will function based on these arguments, we’ll also want to have a way to handle errors. This particular leaves us that has a total of three potential courses of action depending on user input.

  • No Argument – Return Error Message
  • Save Timestamps Flag – Save timestamps to a file
  • Restore Timestamps Flag – Restore timestamps to files according to saved list

While we could use nested if/or statements to create This particular script, we could also assign each one of these functions to their own “if” statement based on the conditions. We can begin writing the script inside text editor of our choice, or perhaps by using nano.

Step 3: Beginning the Script

We can launch nano by the command line as well as create a script titled “timestamps.sh” with the command below.

nano timestamps.sh

First, let’s begin the script with #!/bin/bash in order to declare the shell script as a bash script, as well as then write our first if statement. We’ll begin with “if” as well as add a condition of [ $# -eq 0 ]. This particular condition indicates in which if there will be no argument whatsoever, the program should do what follows the “then.” inside example case, we return an error message to the user using “echo” as well as then exit the program as well as close the if loop with “fi.”

#!/bin/bash
if [ $# -eq 0 ]; then
echo “Use a save (-s) or restore (-r) parameter.”
exit 1
fi

After we save This particular file, by pressing Ctrl+O in nano, we should mark This particular as a script which can be run. We can do This particular with chmod.

chmod +x timestamps.sh

Next, we can run the script with no arguments in order to test the functionality of our error message.

./timestamps.sh

If the script returns our echo statement, we’re ready to move on to the next condition.

Step 4: Writing Timestamps to a File

We’ll begin by defining an if statement which will occur only if the user input matches the defined flag.

if [ $1 = “-s” ] ; then
fi

The first line defines the condition for the if statement as if the user input, $1, will be equal to “-s” then This particular should do the sequence of steps within the if statement. As stated in our error statement, the “-s” flag indicates in which the script will be run inside “save” function. We can today begin to write what This particular part of the script actually involves.

The first line should remove, or at least check the existence of, the file which we plan to save the timestamps to. While This particular could be avoided by using a unique filename, as well as much better by using a hidden file as prefaced that has a period inside filename, This particular’s still ideal to remove the file if This particular exists. This particular will avoid accidental overlap or incorrect inputs if the file previously had any sort of content within This particular.

rm -f timestamps;

This particular line will remove a file named “timestamps” if in which file exists. Next, we’ll want to use ls in order to begin generating a list of files as well as their modification times. We can run ls as well as pipe This particular’s output to another program, such as sed, to help us clean This particular input later.

ls -l

We’ll want to limit the output by ls to only what we need. When running ls -l, the output generally appears similar to the string below.

-rw-r–r– 1 user user 0 Jan 1 2017 file

For the purposes of saving timestamps, we only need the year, month, day, as well as filename. While we could attempt to remove everything before the three-letter month abbreviation based on the number of spaces or characters before This particular, we can be absolutely certain of where we choose to discard unnecessary information by looking for a specific string, such as a month. The string below will remove everything on a line before the occurrence of “Jan.”

ls -l file | sed ‘s/^.*Jan/Jan/p’

However, while we today have all of the information we need for our program, This particular’s not in a useable format. For using “touch” to set the modification times, the months should be in a format of numbers rather than three-letter abbreviations. We can modify This particular inline by changing the second string within the “sed” command below.

ls -l file | sed ‘s/^.*Jan/01/p’

Here, “Jan” will be replaced with “01” in addition to everything before This particular on the line being replaced. We can extend This particular system to all different possible months.

ls -l | sed -n ‘s/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^.*Apr/04/p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p;s/^.*Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;’

today, if run within a folder, our output should look similar to below.

This particular output will be useable for our script, so we can add This particular as well as send the input to a file with the “>>” redirection. In This particular case, output will be sent to a file named “timestamps.”

do echo $x | ls -l | sed -n ‘s/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^.*Apr/04/p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p;s/^.*Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;’ >> timestamps

today, the first two possible actions of the script should be completed, as well as This particular should look similar to the image below.

We can test the script by running This particular with the “-s” flag we have today defined.

./timestamps.sh -s

After running the script, we can check in which the information was saved using cat.

cat timestamps

If a list of times as well as filenames will be returned, we’re ready to move on to writing the final part of the script.

Step 5: Restoring Timestamps to Files

After saving the original timestamps of items within a directory, the post-exploitation function of the script will be to restore the timestamp backups to the files such in which nothing will be changed. The first step of defining This particular behavior will be to begin with an if statement for the completely new flag, as inside previous section.

if $1 = “-r” ; then
fi

In This particular case, the flag used will be “-r.” Next, we’ll want to read in our file of saved timestamps in a way where we can do an action for each line. We can forward the contents of the text file using cat, as well as use This particular input in a “while read” statement. This particular will be enclosed within the previous if statement.

cat timestamps | while read line
do
done

Anything we do following these lines will be run for each single line of the file independently. today we can assign some variables to make using the data within the file more simple.

MONTH=$(echo $line | cut -f1 -d );
DAY=$(echo $line | cut -f2 -d );
FILENAME=$(echo $line | cut -f4 -d );
YEAR=$(echo $line | cut -f3 -d )

These lines each use a “cut” statement based on the location of a given element of the string, specifically its reference point to the number of spaces separating them.

While these four variables are all relatively consistent inside way which they are formatted inside saved timestamps file, there will be some variation inside way which years as well as times are formatted. If a timestamp occurred within the past year, This particular prints the hour rather than the year.

As such, when we only have a time in hour as well as minutes, we’ll need to be able to determine the current year as well. While we could just assign This particular to the year in which we’re writing the script, we can also return This particular by the system.

One integrated Unix utility because of This particular purpose will be “cal,” or calendar. We can launch This particular by the command line.

cal

The current year will be shown inside first line of the program’s output. We can retrieve This particular as a variable with the line below.

CURRENTYEAR=$(cal | head -1 | cut -f6- -d | sed ‘s/ //g’)

We run cal, retrieve only the first line using head, cut This particular according to what we need using cut, as well as finally trim unwanted output using sed.

today in which all variables are defined, we can use an “if else” statement to update the timestamps on files according to the way the date will be formatted. We’ll use the same touch syntax with the “d” parameter as before.

touch -d “2001-01-01 20:00:00” file

Rather than before, however, each of these will be fulfilled by a variable rather than a defined setting. The first “if” statement will handle dates with times in hours as well as minutes. These times each contain a colon, so if the input includes a colon This particular will react accordingly.

if [ $YEAR == *:* ]; then
touch -d $CURRENTYEAR-$MONTH-$DAY $YEAR:00 $FILENAME;

If not, we can finish This particular with an else statement for the normal touch behavior as well as close the if statement.

else
touch -d “”$YEAR-$MONTH-$DAY”” $FILENAME;
fi

The code because of This particular section today should appear similar to the image below.

With the restoration function completed, the script will be today ready to use.

Step 6: Using the Script

Using the script will be as simple as using This particular with the appropriate flag. The command below saves file timestamps.

./timestamps.sh -s

We can run This particular first, as well as if we wish check the created timestamps file to confirm. After This particular, we can run a command like the one below in order to manipulate the timestamps for all files within a directory.

touch -d “2050-10-12 10:00:00” *

We can confirm in which these files were modified with ls.

ls -a

today in which they’ve been modified, we can restore them to our backed up type.

./timestamps.sh -r

Finally, we can confirm in which This particular process worked by running “ls -a” once more. If the timestamps today match those defined inside backup file, the script has worked successfully!

Timestamps Can Lie

This particular script considers just some of the many fragments as well as traces which will be left after an attack on a server. When considering how to hide one’s traces, hackers must consider every single way as well as point at which they had accessed or manipulated a server.

A clever attack treads carefully as well as keeps track of what has been modified, considering how to hide these tracks before they even touch a server. A system administrator must be aware both in which many of their logs as well as protective measures can be manipulated, as well as they must not always trust in which things are secure just because they look like they did previously.

Thanks for reading! If you have any questions, you can leave a comment below, or on Twitter at @tahkion.

Screenshots by Takhion/Null Byte
Cover image by Kin Lane

Leave a Comment

Your email address will not be published. Required fields are marked *

8 + twelve =