cover-1.txt 44 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897
  1. ------------------------------------------------------------------------------
  2. ################################################
  3. # #
  4. # HOW TO COVER YOUR TRACKS #
  5. # #
  6. ################################################
  7. PART ONE : THEORY & BACKGROUND
  8. I. INTRODUCTION
  9. II. MENTAL
  10. III. BASICS
  11. IV. ADVANCED
  12. V. UNDER SUSPECT
  13. VI. CAUGHT
  14. VII. PROGRAMS
  15. VIII. LAST WORDS
  16. I. INTRODUCTION
  17. ----------------------------------------------------------------------
  18. Please excuse my poor english - I'm german so it's not my mother
  19. language I'm writing in. Anyway if your english is far better than
  20. mine, then don't think this text hasn't got anything to offer you.
  21. In contrast. Ignore the spelling errors & syntax - the contents
  22. of this document is important ...
  23. NOTE : This text is splitted into TWO parts.
  24. The first one, this, teachs about the background and theory.
  25. The second just shows the basics by an easy step-by-step
  26. procedure what to type and what to avoid.
  27. If you are too lazy to read this whole stuff here (sucker!)
  28. then read that one. It's main targets are novice unix hackers.
  29. If you think, getting the newest exploits fast is the most important
  30. thing you must think about and keep your eyes on - you are wrong.
  31. How does the best exploit helps you once the police has seized your
  32. computer, all your accounts closed and everything monitored?
  33. Not to mention the warrants etc.
  34. No, the most important thing is not to get caught.
  35. It is the FIRST thing every hacker should learn, because on many
  36. occasions, especially if you make your first hacks at a site which
  37. is security conscious because of many break-ins, your first hack can
  38. be your last one (even if all that lays back a year ago "they" may
  39. come up with that!), or you are too lazy to change your habits
  40. later in your career.
  41. So read through these sections carefully!
  42. Even a very skilled hacker can learn a bit or byte here.
  43. So this is what you find here:
  44. Section I - you are reading me, the introduction
  45. Section II - the mental things and how to become paranoid
  46. 1. Motivation
  47. 2. Why you must become paranoid
  48. 3. How to become paranoid
  49. 4. Stay paranoid
  50. Section III - the basics you should know BEFORE begin hacking
  51. 1. Preface
  52. 2. Secure Yourself
  53. 3. Your own account
  54. 4. The LOGs
  55. 5. Don't leave a trace
  56. 6. Things you should avoid
  57. Section IV - the advanced techniques you should take a notice of
  58. 1. Preface
  59. 2. Prevent Tracing of any kind
  60. 3. Find and manipulate any log files
  61. 4. Check the syslog configuration and logfile
  62. 5. Check for installed security programs
  63. 6. Check the admins
  64. 7. How to "correct" checksum checking software
  65. 8. User Security Tricks
  66. 9. Miscellaneous
  67. Section V - what to do once you are under suspect
  68. Section VI - the does and dont's when you got caught
  69. Section VII - a short listing of the best programs for hiding
  70. Section VIII- last words, the common bullshit writers wanna say
  71. So read carefully and enlighten yourself.
  72. II. MENTAL
  73. ----------------------------------------------------------------------
  74. CONTENTS: 1. Motivation
  75. 2. Why you must become paranoid
  76. 3. How to become paranoid
  77. 4. Stay paranoid
  78. * 1. MOTIVATION *
  79. The mental aspect is the key to be successful in anything.
  80. It's the power to motivate yourself, fight on if it hurts,
  81. being selfdisciplined, paranoid & realistic, calculate risks
  82. correctly and do stuff you don't like but are important even
  83. if you'd like to go swimming now.
  84. If you can't motivate yourself to program important tools,
  85. wait for the crucial time to hit the target, then you'll never
  86. get anywhere with your "hacks"
  87. A successful and good hacker must meet these mental requirements.
  88. It's like doing bodybuilding or a diet - you can learn it
  89. if you really try.
  90. EVEN THE BEST KNOWLEDGE WON'T HELP YOU UNTIL YOU ARE REALLY
  91. CONCERNED TO DO THE PREVENTIONS AND ACTUAL MAKE THEM !
  92. * 2. WHY YOU MUST BECOME PARANOID *
  93. It's right that normally being paranoid is not something which
  94. makes your life happier.
  95. However if you aren't expecting the worst, anything can hit you and
  96. throw you off balance. And you are risking very much with your doings.
  97. In your normal life you don't need to worry much about cops, thieves
  98. and therelike. But if you are on the other side remember that you make
  99. other people a hard life and bring them nightmares plus work - and
  100. they want to stop you.
  101. Even if you don't feel like committing a crime - you actually do.
  102. Hacker-Witchhunting pops up fast and gets everyone who might be involved.
  103. It's the sad thing : YOU ARE GUILTY UNTIL PROVEN OTHERWISE !
  104. Once you've got the stigma being a hacker you'll never get it off.
  105. Once having an entry in your police record it's very hard to find a job.
  106. Especially no software company, even no computer related company will
  107. ever hire you, they will be afraid of your skills, and you will see
  108. yourself being forced to emmigrate or your life lost.
  109. Once you fall down only a few can get up again.
  110. Become paranoid!
  111. Protect yourself!
  112. Remember you have got everything to loose!
  113. Never feel silly doing THAT extraordinary action against tracing!
  114. Never bother if someone laughs on your paranoid doing!
  115. Never be too lazy or tired to modify the logs!
  116. A hacker must do his work 100% !
  117. * 3. HOW TO BECOME PARANOID *
  118. If you've read the part above and you think thats true, it's easy -
  119. you've got already become paranoid. But it must become a substantial
  120. part of your life. If you made it becoming a good hacker always think
  121. about whom to tell what, and that you phone calls and emails might be
  122. monitored. Always the reread the section above.
  123. If the above didn't helped you, then think about what happens if
  124. you are caught. Would your girlfriend stay at your side? Even if
  125. her father speaks a hard word? Do you want to see your parents cry?
  126. Thrown from your school/university/job?
  127. Don't give this a chance to happen!
  128. If even this is not enough to motivate you:
  129. KEEP AWAY FROM HACKING!
  130. You are a danger to the whole hacking society and your friends !
  131. * 4. STAY PARANOID *
  132. I hope you learned now why it is important to become paranoid.
  133. So stay paranoid. One mistake or lazy moment could suffice to ruin
  134. your life or career.
  135. Always remember the motivation to do it.
  136. III. BASICS
  137. ----------------------------------------------------------------------
  138. CONTENTS : 1. Preface
  139. 2. Secure Yourself
  140. 3. Your own account
  141. 4. The LOGs
  142. 5. Don't leave a trace
  143. 6. Things you should avoid
  144. * 1. PREFACE *
  145. You should know this and practice it before you start your first hack.
  146. These are the absolute basics, without them you are in trouble soon.
  147. Even an experienced hacker can find a new hint/info in here.
  148. * 2. SECURE YOURSELF *
  149. What if a SysAdmin reads your email?
  150. What if your phone calls are recorded by the police?
  151. What if the police seizes your computer with all your hacking data on it?
  152. If you don't receive suspicious email, don't talk about hacking/phreaking
  153. on the phone and haven't got sensitive/private files on your harddisk
  154. then you don't need to worry. But then again you aren't a hacker.
  155. Every hacker or phreaker must keep in touch with others and have got
  156. his data saved somewhere.
  157. Crypt every data which is sensitive!
  158. Online-Harddisk-Crypter are very important and useful:
  159. There are good harddisk crypters free available an the internet, which
  160. behave fully transparent to your operating systems, i.e. the packages
  161. listed below are tested and were found to be a hacker's first-choice:
  162. - If you use MsDos get SFS v1.17 or SecureDrive 1.4b
  163. - If you use Amiga get EnigmaII v1.5
  164. - If you use Unix get CFS v1.33
  165. File Crypters: You can use any, but it should use one of the well known
  166. and secure algorythms. NEVER use a crypting program which can be
  167. exported because their effective keylengths are reduced!
  168. - Triple DES
  169. - IDEA
  170. - Blowfish (32 rounds)
  171. Encrypt your emails!
  172. - PGP v2.6.x is used most so use it too.
  173. Encrypt your phonecalls if you want to discuss important things.
  174. - Nautilus v1.5a is so far the best
  175. Encrypt your terminal sessions when connected to a unix system.
  176. Someone might be sniffing, or monitoring your phone line.
  177. - SSH is the so far most secure
  178. - DES-Login is fine too
  179. Use strong passwords, non-guessable passwords which are not mentioned
  180. in any dictionary. They should seem random but good to remember for
  181. yourself. If the keylength is allowed to be longer than 10 chars,
  182. use that, and choose a sentence from a book, slightly modified.
  183. Please crypt phonenumbers of hacker friends twice. And call them from
  184. payphones/officephones/etc. only, if you don't encrypt the conversation.
  185. The beginner only needs PGP, a filecrypter and an online-hardisk-crypter.
  186. If you are really deep into hacking remember to encrypt everything.
  187. Make a backup of your data (Zip-Drive, other harddisk, CD, Tape),
  188. crypted of course, and store it somewhere which doesn't belong to any
  189. computer related guy or family member and doesn't belong to your house.
  190. So if a defect, fire or fed raid occures you got a backup of your data.
  191. Keep written notices only as long as you really need them. Not longer.
  192. Keeping them in an encrypted file or on an encrypted partition is much
  193. more secure. Burn the papers once you don't need them anymore.
  194. You can also write them down with a crypt algorythm which only you
  195. know of, but don't tell others and don't use it too often or it can be
  196. easily analyzed and broken.
  197. Really hardcore or ultra paranoid hackers should consider too the
  198. TEMPEST Project. Cops, spies and hackers could monitor all your
  199. doings. A well equipted man could have *anything* he wants :
  200. Electronic pulse emanation can be catched from more than 100 meters
  201. away and show your monitor screen to somebody else, a laserpoint to
  202. your window to hear private conversations, or identifying hifrequency
  203. signals of keyboard clicks ... so possiblities are endless
  204. Lowcost prevention can be done by electronic pulse jammers and
  205. therelike which become available on the public market, but I don't
  206. think this is secure enough to keep anyone dedicated away.
  207. * 3. YOUR OWN ACCOUNT *
  208. So let's talk about your own account. This is your real account you
  209. got at your school/university/job/provider and is associated with
  210. your name. Never forget to fail these rules:
  211. Never do any illegal or suspicious things with your real accounts!
  212. Never even try to telnet to a hacked host!
  213. Security mailing lists are okay to read with this account.
  214. But *everything* which *seems* to have to do with hacking must be
  215. either encrypted or be deleted as once.
  216. Never leave/save hacking/security tools on your account's harddisk.
  217. If you can, use POP3 to connect to the mailserver and get+delete your
  218. email (or do it in an other way if you are experienced enough using unix)
  219. Never give out your real email if your realname is in your .plan file
  220. and/or geco field (remember the EXPN command from sendmail ...)
  221. Give it only to guys who you can trust and are also security conscious,
  222. because if they are caught you may follow (or if it's a fed, not a hacker)
  223. Exchange emails with other hackers only if they are encrypted (PGP)
  224. SysAdmins OFTEN snoop user directories and read other's email!
  225. Or another hacker might hack your site and try to get your stuff!
  226. Never use your account in a way which shows interest in hacking.
  227. Interest in security is okay but nothing more.
  228. * 4. THE LOGS *
  229. There are 3 important log files:
  230. WTMP - every log on/off, with login/logout time plus tty and host
  231. UTMP - who is online at the moment
  232. LASTLOG - where did the logins come from
  233. there exist others, but those will be discussed in the advanced section.
  234. Every login via telnet, ftp, rlogin and on some systems rsh are written
  235. to these logs. It is VERY important that you delete yourself from those
  236. logfiles if you are hacking because otherwise they
  237. a) can see when did you do the hacking exactly
  238. b) from which site you came
  239. c) how long you were online and can calculate the impact
  240. NEVER DELETE THE LOGS! It's the easiest way to show the admin that
  241. a hacker was on the machine. Get a good program to modify the logs.
  242. ZAP (or ZAP2) is often mentioned as the best - but in fact it isn't.
  243. All it does is overwriting the last login-data of the user with zeros.
  244. CERT already released simple programs which check for those zero'ed
  245. entries. So thats an easy way to reveil the hacker to the admin too.
  246. He'll know someone hacked root access and then all you work was worthless.
  247. Another important thing about zap is that it don't report if it can't
  248. find the log files - so check the paths first before compiling!
  249. Get either a program which CHANGES the data (like CLOAK2) or a really
  250. good one which DELETES the entries (like CLEAR).
  251. Normally you must be root to modify the logs (except for old distributions
  252. which have got utmp and wtmp world-writable). But what if you didn't
  253. made it hacking root - what can you do? Not very much :
  254. Do a rlogin to the computer you are on, to add a new unsuspicous LASTLOG
  255. data which will be displayed to the owner when he logs on next time.
  256. So he won't get suspicious if he sees "localhost".
  257. Many unix distributions got a bug with the login command. When you
  258. execute it again after you logged already on, it overwrites the
  259. login-from field in the UTMP (which shows the host you are coming
  260. from!) with your current tty.
  261. Where are these log files by default located?
  262. That depends on the unix distribution.
  263. UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
  264. WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
  265. LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log
  266. on some old unix dists the lastlog data is written into $HOME/.lastlog
  267. * 5. DON'T LEAVE A TRACE *
  268. I encountered many hackers who deleted themselves from the logs.
  269. But they forgot to erase other things they left on the machines :
  270. Files in /tmp and $HOME
  271. Shell History
  272. It should be another as you current login account uses.
  273. Some shells leave a history file (depends on enviroment configuration)
  274. with all the commands typed. Thats very bad for a hacker.
  275. The best choice is to start a new shell as your first command after
  276. logging in, and checking every time for a history file in you $HOME.
  277. History files :
  278. sh : .sh_history
  279. csh : .history
  280. ksh : .sh_history
  281. bash: .bash_history
  282. zsh : .history
  283. Backup Files :
  284. dead.letter, *.bak, *~
  285. In other words: do an "ls -altr" before you leave!
  286. Here're 4 csh commands which will delete the .history when you log
  287. out, without any trace.
  288. mv .logout save.1
  289. echo rm .history>.logout
  290. echo rm .logout>>.logout
  291. echo mv save.1 .logout>>.logout
  292. * 6. THINGS YOU SHOULD AVOID *
  293. Don't crack passwords on an other machine than your own, and then
  294. only on a crypted partition. If you crack them on a e.g. university
  295. and the root sees your process and examines it not only your hacking
  296. account is history but also the site from which the password file is
  297. and the university will keep all eyes open to watch out for you.
  298. Download/grab the passwd data and crack them on a second computer or
  299. in a background process. You don't need many cracked accounts, only a few.
  300. If you run important programs like ypx, iss, satan or exploiting
  301. programs then rename them before executing or use the small common
  302. source to exchange the executed filename in the process list ... ever
  303. security conscious user (and of course admin) knows what's going on
  304. if he sees 5 ypx programs running in the background ...
  305. And of course if possible don't enter parameters on the command line
  306. if the program supports an interactive mode, like telnet.
  307. Type "telnet" and then "open target.host.com" ... which won't show
  308. the target host in the process list as parameter.
  309. If you hacked a system - don't put a suid shell somewhere!
  310. Better try to install some backdoors like ping, quota or login and
  311. use fix to correct the atime and mtime of the file if you don't
  312. have got another possiblity.
  313. IV. ADVANCED
  314. ----------------------------------------------------------------------
  315. CONTENTS : 1. Preface
  316. 2. Prevent Tracing of any kind
  317. 3. Find and manipulate any log files
  318. 4. Check the syslog configuration and logfile
  319. 5. Check for installed security programs
  320. 6. Check the admins
  321. 7. How to "correct" checksum checking software
  322. 8. User Security Tricks
  323. 9. Miscellaneous
  324. * 1. PREFACE *
  325. Once you installed your first sniffer and begin to hack worldwide
  326. then you should know and use these checks & techniques!
  327. Use the tips presented here - otherwise your activity will be over soon.
  328. * 2. PREVENT TRACING OF ANY KIND *
  329. Sometimes your hacking will be noticed. Thats not a real problem -
  330. some of your sites will be down but who cares, there are enough
  331. out there to overtake. The *very* dangerous thing is when they try
  332. to trace you back to your origin - to deal with you - bust you!
  333. This short chapter will tell you every possiblity THEY have to trace
  334. you and what possibilities YOU have to prevent that.
  335. * Normally it should be *no* problem for the Admin to identify the
  336. system the hacker is coming from by either : checking the log entries
  337. if the hacker was really lame, taking a look at the sniffer output
  338. the hacker installed and he's in too, any other audit software like
  339. loginlog, or even show all estrablished connections with "netstat"
  340. if the hacker is currently online - expect that they'll find out!
  341. Thats why you *need* a gateway server.
  342. * A gateway server in between - what is it?
  343. Thats one of many many servers you have accounts on, which are
  344. absolutely boring systems and you have got root access on.
  345. You need the root access to alter the wtmp and lastlog files
  346. plus maybe some audit logs do nothing else on these machines!
  347. You should change the gateway servers on a regular basis, say
  348. every 1-2 weeks, and don't use them again for at least a month.
  349. With this behaviour it's unlikely that they will trace you back
  350. to your next point of origin : the hacking server
  351. * Your Hacking Server - basis of all activity
  352. From these server you do begin hacking. Telnet (or better : remsh/rsh)
  353. to a gateway machine and then to the target.
  354. You need again root access to change the logs.
  355. You should change your hacking server every 2-4 weeks.
  356. * Your Bastian/Dialup server.
  357. This is the critical point. Once they can trace you back to your
  358. dialup machine you are already fried. A call to the police, a line
  359. trace and your computer hacking activity is history - and maybe
  360. the rest of your future too.
  361. You *don't* need root access on a bastion host. Since you only
  362. connect to it via modem there are no logs which must be changed.
  363. You should use a different account to log on the system every day,
  364. and try to use those which are seldom used.
  365. Don't modify the system in any way!
  366. You should've got at least 2 bastion host systems you can dialup
  367. to and switch between them every 1-2 month.
  368. Note: If you have got the possiblity to dialup different systems
  369. every day (f.e. due blueboxing) then do so. you don't need
  370. a hacking server then.
  371. * Do bluebox/card your call or use an outdial or any other way.
  372. So even when they capture back your bastion host, they can't
  373. trace you (easily) ...
  374. For blueboxing you must be cautious, because germany and the phone
  375. companies in the USA do have surveillance systems to detect
  376. blueboxers ... At&t traces fake cred card users etc.
  377. Using a system in between to transfer your call does on the one side
  378. make tracine more difficult - but also exposes you to the rish being
  379. caught for using a pbx etc. It's up to you.
  380. Note too that in f.e. Denmark all - ALL - calling data is saved!
  381. Even 10 years after your call they can prove that *you* logged on
  382. the dialup system which was used by a hacker ...
  383. - Miscellaneous
  384. If you want to run satan, iss, ypx, nfs filehandle guessing etc.
  385. then use a special server for this. don't use it to actually
  386. telnet/rlogin etc. to a target system, only use it for scanning.
  387. Connect to it as if it were a gateway server.
  388. Tools are out there which binds to a specific port, and when a
  389. connection is established to this port, it's automatically opening
  390. a connection to another server some other just act like a shell on the
  391. system, so you do a "telnet" from this socket daemon too.
  392. With such a program running you won't be written in any log except
  393. firewall logs. There are numerous programs out there which do that
  394. stuff for you.
  395. If possible, the hacking server and/or the gateway machine should
  396. be located in a foreign country!
  397. Because if your breakin (attempt) was detected and your origin host
  398. identified then most admins will tend to give up to hunt after you.
  399. Even if the feds try to trace you through different countries it
  400. will delay them by at least 2-10 weeks ...
  401. # Conclusion : If you hack other stuff than univerisities then
  402. do it this way! Here is a small picture to help you ;-)
  403. +-------+ ~---------------> +-------------+ +-----------+
  404. |+-----+| >hopefully > |one of at | |one of many|
  405. || YOU || --> >a trace-safe > --> |least 3 | --> |hacking |
  406. |+-----+| >dial possiblity> |bastion hosts| |server |
  407. +-------+ ~---------------> +-------------+ +-----------+
  408. |
  409. |
  410. v
  411. +-----------------+ +--------+ +-----------+
  412. |maybe additional | | the | |one hacked |
  413. |server from | ... <-- ... | main | <-- |server as |
  414. |internal network | | target | |gateway |
  415. +-----------------+ +--------+ +-----------+
  416. * 3. FIND AND MANIPULATE ANY LOG FILES *
  417. It's important that you find all logfiles - even the hidden ones.
  418. To find any kind of logfiles there are two easy possibilities :
  419. 1) Find all open files.
  420. Since all logfiles must write somewhere, get the cute program
  421. LSOF - LiSt Open Files - to see them ... check them ... and
  422. if necessary correct them.
  423. 2) Search for all files changed after your login.
  424. After your login do a "touch /tmp/check" then work on.
  425. Later just do a "find / -newer /tmp/check -print" and check them
  426. if any of those are audit files. see>check>correct.
  427. Note that not all versions of find support the -newer option
  428. You can also do a "find / -ctime 0 -print" or "find / -cmin 0 -print"
  429. to find them.
  430. Check all logfiles you find. Normally they are in /usr/adm, /var/adm or
  431. /var/log.
  432. If things are logged to @loghost then you are in trouble. You need
  433. to hack the loghost machine to modify the logs there too ...
  434. To manipulate the logs you can either do things like "grep -v",
  435. or do a linecount with wc, and then cut off the last 10 lines with
  436. "head -LineNumbersMinus10", or use an editor etc.
  437. If the log/audit files are not textfiles but datarecords ... identify
  438. the software which writes the logfiles. Then get the sourcecode. Then
  439. find the matching header file which defines the structure of the file.
  440. Get zap, clear, cloak etc. and rewrite it with the header file to use
  441. with this special kind of logfile (and it would be kind to publish your
  442. new program to the hacker society to safe others much work)
  443. If accouting is installed then you can use the acct-cleaner from zhart,
  444. also in this release - it works and is great!
  445. A small gimmick if you must modify wtmp but can't compile a source and
  446. no perl etc. is installed (worked on SCO but not on linux) :
  447. Do a uuencode of wtmp. Run vi, scroll down to the end of the file, and
  448. and delete the last 4 (!) lines beginning with "M" ... then save+exit,
  449. uudecode. Then the last 5 wtmp entries are deleted ;-)
  450. If the system uses wtmpx and utmpx as well you are in trouble ...
  451. I don't know any cleaner so far who can handle them.
  452. Program one and make it available for the scene.
  453. * 4. CHECK THE SYSLOG CONFIGURATION AND LOG *
  454. Most programs use the syslog function to log anything they want.
  455. It's important to check the configuration where syslog does print
  456. special types.
  457. The config file is /etc/syslog.conf - and I won't tell you here what
  458. the format is and what each entry means. Read the manpages about it.
  459. Important for you are kern.*, auth.* and authpriv.* types.
  460. Look where they are written too: files can be modified. If forwarded
  461. to other hosts you must hack those too. If messages are sent to a user,
  462. tty and/or console you can do a small trick and generate false log
  463. messages like "echo 17:04 12-05-85 kernel sendmail[243]: can't resolve
  464. bla.bla.com > /dev/console" or whichever device you want to flood so
  465. that the message you want to hide simply scrolls over the screen.
  466. These log files are *very* important! Check them.
  467. * 5. CHECK FOR INSTALLED SECURITY PROGRAMS
  468. On most security conscious sites, there are security checkers run by
  469. cron. The normal directory for the crontabs are /var/spool/cron/crontabs.
  470. Check out all entries, especially the "root" file and examine the files
  471. they run. For just a fast investigation of the crontabs of root type
  472. "crontab -l root".
  473. Some of those security tools are most time also installed on the admins'
  474. accounts. Some of them (small utils to check wtmp, and if a sniffer is
  475. installed) are in their ~/bin.
  476. Read below to identify those admins and check their directories.
  477. Internal checking software can be tiger, cops, spi, tripwire, l5,
  478. binaudit, hobgoblin, s3 etc.
  479. You must examine them what they report and *if* they would report
  480. something that would be a sign of your breakin.
  481. If yes you can - update the data files of the checker (learn mode)
  482. so that it won't report that type anymore
  483. - reprogram/modify the software so that they don't report
  484. it anymore. (I *love* fake cpm programs ;-)
  485. - if possible remove the e.g. backdoor you installed
  486. and try to do it in another way.
  487. * 6. CHECK THE ADMINS *
  488. It is important for you to check the sysops for the security counter-
  489. measures they do - so first you need to know which normal accounts are
  490. they use.
  491. You can check the .forward file of root and the alias entry of root.
  492. Take a look into the sulog and note those people who did a successful
  493. su to root. Grab the group file and examine the wheel and admin group
  494. (and whatever other group are in this file which are related to
  495. administration). Also grep'ing the passwd file for "admin" will reveile
  496. the administrators.
  497. Now you should know who the 1-6 administrators on the machines are.
  498. Change into their directories (use chid.c, changeid.c or similar to
  499. become the user if root is not allowed to read every file) and check
  500. their .history/.sh_history/.bash_history to see what commands they type
  501. usually. Check their .profile/.login/.bash_profile files to see what
  502. aliases are set and if auto-security checks or logging are done.
  503. Examine their ~/bin directory! Most times compiled security checking
  504. programs are put there! And of course take a look into each directory
  505. they've got beside that (ls -alR ~/).
  506. If you find any security related stuff, read 5.) for possibilities to
  507. bypass those protections.
  508. * 7. HOW TO "CORRECT" CHECKSUM CHECKING SOFTWARE *
  509. Some admins really fear hacker and install software to detect changes
  510. of their valuable binaries. If one binary is tampered with, next time
  511. the admin does a binary check, it's detected.
  512. So how can you a) find out if such binary checkers are installed
  513. and b) how to modify them so you can plant in your trojan horse?
  514. Note that there are many binary checker out there and it's really easy
  515. to write one - takes only 15 minutes - and can be done with a small
  516. script. So it's hard to find such software if it's installed.
  517. Note that internal security checking software sometimes also support such
  518. checking. Here are some widely used ones :
  519. SOFTWARE : STANDARD PATH : BINARY FILENAMES
  520. tripwire : /usr/adm/tcheck, /usr/local/adm/tcheck : databases, tripwire
  521. binaudit : /usr/local/adm/audit : auditscan
  522. hobgoblin : ~user/bin : hobgoblin
  523. raudit : ~user/bin : raudit.pl
  524. l5 : compile directory : l5
  525. But as you can see there are too much possibilities! The software or
  526. database could even be on an normally unmounted disk or NFS exported
  527. partition of another host. Or the checksum database is on a write
  528. protected medium. There are too much possibilities. But normally you can
  529. just do the fast check if the above packages are installed and if not
  530. go on exchanging binaries. If you *don't* find them but it actually *is*
  531. a very well secured site then you should NOT tamper with the binaries!
  532. They sure have got them hidden very well.
  533. But what do you do when you find that software installed and you can
  534. modify them (e.g. not a write protected medium, or something that can
  535. be bypasswd - for example unmounting the disk and remounting writable)?
  536. You've got 2 possibilities :
  537. First you can just check the parameters of the software and run an
  538. "update" on the modified binary. For example for tripwire that's
  539. "tripwire -update /bin/target".
  540. Seconds you can modify the filelist of the binaries being checked -
  541. removing the entry of the replaced one.
  542. Note that you should also check if the database file itself is checked
  543. too for changes! If yes - update/delete the entry as well.
  544. * 8. USER SECURITY TRICKS *
  545. This is a rare thing and is only for sake of completeness.
  546. Some users, named admins and hackers, usually don't want their own
  547. accounts to be used by someone else. That's why they sometimes put
  548. some security features into their startup files.
  549. So check all dotfiles (.profile, .cshrc, .login, .logout etc.)
  550. what commands they execute, what history logging and which searchpath
  551. they set. If f.e. $HOME/bin comes before /bin in the search path you
  552. should check the contents of this directory ... maybe there's a program
  553. called "ls" or "w" installed which logs the execution time and after
  554. that executing the real program.
  555. Other check automatically the wtmp and lastlog files for zap usage,
  556. manipulation of .rhosts, .Xauthority files, active sniffers etc.
  557. Never mess with an account a unix wizard is using!
  558. * 9. MISCELLANEOUS *
  559. Finally, before some last words about being under suspect or caught,
  560. here are some miscellaneous things which a worth to take a notice off.
  561. Old telnet clients do export the USER variable. An administrator who
  562. knows that and modified the telnetd can get all user names with that
  563. and so identify the account you are hacking from, once he notices you.
  564. The new clients have been fixed - but a clever admin has got other
  565. possiblities to identify the user : the UID, MAIL and HOME variables
  566. are still exported and makes identifying of the account used by the
  567. hacker easy. Before you do a telnet, change the USER, UID, MAIL and
  568. HOME variable, maybe even the PWD variable if you are in the home
  569. directory.
  570. On HP-UX < v10 you can make hidden directories. I'm not talking about
  571. . (dot) files or similar but a special flag. HP introduced it v9, but
  572. was removed from version 10 (because it was only used by hackers ;-).
  573. If you do a "chmod +H directory" it's invisible for the "ls -al".
  574. To see the hidden directories you need to add the -H switch to ls, e.g.
  575. "ls -alH" to see everything.
  576. Whenever you are in need to change the date of a file, remember that
  577. you can use the "touch" command to set the atime and mtime.
  578. You can set the ctime only by raw writes to the harddisk ...
  579. If you install sniffer and it's an important system, then make sure
  580. that you either obfusicate the sniffer output (with an encryption
  581. algorythm [and i'm not talking about rot13] or let the sniffer send
  582. all the captured data via icmp or udp to an external host under your
  583. control. Why that? If the admin finds somehow the sniffer (cpm and
  584. other software checking for sniffers) they can't identify in the
  585. logfile what data was sniffed, so he can't warn hosts sniffed by you.
  586. V. UNDER SUSPECT
  587. ----------------------------------------------------------------------
  588. Once you are under suspect (by either police and/or administrator) you
  589. should take special actions so they won't get evidence on you.
  590. NOTE : If the administrators think you are a hacker,
  591. YOU ARE GUILTY UNTIL PROVEN INNOCENT
  592. The laws means nothing to the admins (sometimes I think the difference
  593. between a hacker and an administrator is only that the computer belongs
  594. to them). When they think you are a hacker you are guilty, without a
  595. lawyer to speak for you. They'll monitor you, your mails, files, and,
  596. if they are good enough, your keystrokes as well.
  597. When the feds are involved, you phone line might be monitored too,
  598. and a raid might come soon.
  599. If you notice or fear that you are under suspect then keep absolutely
  600. low profile! No offensive action which points to hacking should be done.
  601. Best thing is to wait at least 1-2 month and do nothing.
  602. Warn your friends not to send you any email, public normal only,
  603. non-offensive mail is wonderful, put pgp encrypted emails will ring the
  604. alarm bells of monitoring admins and feds. Cut down with everything,
  605. write some texts or program tools for the scene and wait until things
  606. have settled. Remember to encrypt all your sensitive data and remove
  607. all papers with account data, phone numbers etc. Thats the most
  608. important stuff the feds are looking for when they raid you.
  609. VI. CAUGHT
  610. ----------------------------------------------------------------------
  611. Note that this small chapter covers only the ethics and basics and
  612. hasn't got any references to current laws - because they are different
  613. for every country.
  614. Now we talking about the stuff you should/shouldn't do once the feds
  615. visited you. There are two *very* important things you have to do :
  616. 1) GET A LAWYER IMMEDEANTELY !
  617. The lawyer should phone the judge and appeal against the search
  618. warrant. This doesn't help much but may hinder them in their work.
  619. The lawyer should tell you everything you need to know what the
  620. feds are allowed to do and what not.
  621. The lawyer should write a letter to the district attorney and/or
  622. police to request the computers back as fast as possible because
  623. they are urgently needed to do business etc.
  624. As you can see it is very useful to have got a lawyer already
  625. by hand instead of searching for one after the raid.
  626. 2) NEVER TALK TO THE COPS !
  627. The feds can't promise you anything. If they tell you, you'll get
  628. away if you talk, don't trust them! Only the district attorney
  629. has got the power to do this. The cops just want to get all
  630. information possible. So if you tell them anything they'll have
  631. got more information from and against you.
  632. You should *always* refuse to give evidence - tell them that you
  633. will only talk with them via your lawyer.
  634. Then you should make a plan with your lawyer how to get you out of this
  635. shit and reduce the damage.
  636. But please keep in mind : don't betray your friends. Don't tell them
  637. any secrets. Don't blow up the scene.
  638. If you do, that's a boomerang : the guys & scene will be very angry
  639. and do revenge, and those guys who'll be caught because of your
  640. evidence will also talk ... and give the cops more information about
  641. *your* crimes!
  642. Note also that once you are caught you get blamed for everything which
  643. happened on that site. If you (or your lawyer) can show them that they
  644. don't have got evidences against you for all those cases they might
  645. have trouble to keep the picture of that "evil hacker" they'll try to
  646. paint about you at the court. If you can even prove that you couldn't
  647. do some of the crimes they accuse you for then your chances are even
  648. better. When the judge sees that false accuses are made he'll suspect
  649. that there could be more false ones and will become distrusted against
  650. the bad prepared charges against you.
  651. I get often asked if the feds/judge can force you to give up your
  652. passwords for PGP, encrypted files and/or harddisks.
  653. That's different for every country. Check out if they could force you
  654. to open your locked safe.
  655. If that's the case you should hide the fact that you are crypting your
  656. data! Talk with your lawyer if it's better for you to stand against
  657. the direction to give out the password - maybe they'd get evidences
  658. which could you get into jail for many years.
  659. (For german guys : THC-MAG #4 will have got an article about the german
  660. law, as far as it concerns hacking and phreaking - that article will
  661. be of course checked by a lawyer to be correct. Note that #4 will only
  662. discuss germany and hence will be in the german language.
  663. But non-germans, keep ya head up, this will be the first and last german
  664. only magazine release ;-)
  665. VII. PROGRAMS
  666. ----------------------------------------------------------------------
  667. Here is a small list of programs you should get and use (the best!).
  668. DON'T email me where to get them from - ask around in the scene!
  669. I only present here the best log modifiers (see III-4 and IV-3).
  670. Other programs which are for interest are telnet redirectors (see IV-2)
  671. but there are so many, and most compile only on 1-3 unix types so there's
  672. no use to make a list.
  673. First a small glossary of terms :
  674. Change - Changes fields of the logfile to anything you want
  675. Delete - Deletes, cuts out the entries you want
  676. Edit - real Editor for the logfile
  677. Overwrite - just Overwrites the entries with zero-value bytes.
  678. Don't use such software (f.e. zap) - it can be detected!
  679. LOG MODIFIER
  680. ah-1_0b.tar Changes the entries of accounting information
  681. clear.c Deletes entries in utmp, wtmp, lastlog and wtmpx
  682. cloak2.c Changes the entries in utmp, wtmp and lastlog
  683. invisible.c Overwrites utmp, wtmp and lastlog with predefines values, so
  684. it's better than zap. Watch out, there are numerous inv*.c !
  685. marryv11.c Edit utmp, wtmp, lastlog and accounting data - best!
  686. wzap.c Deletes entries in wtmp
  687. wtmped.c Deletes entries in wtmp
  688. zap.c Overwrites utmp, wtmp, lastlog - Don't use! Can be detected!
  689. VIII. LAST WORDS
  690. ----------------------------------------------------------------------
  691. Last fucking words:
  692. Don't get caught, remember these tips and keep your ears dry.
  693. If someone would like to correct some points, or would like to
  694. add a comment, or needs more information on a topic or even thinks
  695. something's missing - then drop me a note.
  696. van Hauser
  697. Type Bits/KeyID Date User ID
  698. pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
  699. -----BEGIN PGP PUBLIC KEY BLOCK-----
  700. Version: 2.6.3i
  701. mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
  702. ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
  703. Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
  704. tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
  705. 5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
  706. /yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
  707. m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
  708. 3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
  709. UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
  710. yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
  711. BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
  712. KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
  713. a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
  714. iIvvlA==
  715. =nX2w
  716. -----END PGP PUBLIC KEY BLOCK-----
  717. ------------------------------------------------------------------------------
  718.