How to hide your trace first chapter theoretical article

zhaozj2021-02-11  154

How to hide your trace first chapter theoretical article I. Overview II. Mental III. Basic Knowledge IV. Advanced Tips V. When you are suspected ... Vi. Cashible VII. Useful program VIII. . I. Overview >> Translator Note: This article is an article written by German Hacker organizational "The Hacker's Choice", >> But it is still quite gain today, just as he said: "Even It is a very experienced HACKER, can also learn something here. "In the process of translation, some changes have been made in the original text, and have also added some own understanding, improper, please enlighten it. Note: This article is divided into Two parts. The first part tells some background and theoretical knowledge. The second part teaches you to learn what to do step by step through the specific example. If you are too lazy to see a full article, then read the second part. It is mainly written to those Unix Hack newbies. If you get the latest exploits as soon as possible as the most important thing, then I have to say - you are wrong. >> Translator Note: Exploits can be understood as "Vulnerability" However, I don't want to turn this, turn over, I always feel blame >>>, I still retain the original text. There are still some places in the article, and I will not be able to indicate that once the police confiscated your computer, yours All accounts are canceled, and everything you have is monitored, even if it is the best EXPLOIT to use it? I don't want to listen to those who definitely. No, the most important thing should not be arrested! This It is the first thing that every Hacker should understand. Because in many cases, especially when you first HACK started a system-sensitive site because of the invasion, your first HACK may Will be your last HACK. So please read all chapters carefully! Even a very experienced HACKER can learn something from Middle. The following is a description of the sections: section I - You are currently reading II - Idea II 1. Motivation 2. Why do you have to be cautious? How to be cautious 4. Keep the Basic Know III III - You should know before you start Hack 1. Preface 2. Self-safety 3. Your account 4. log Document 5. Do not leave traces 6. You should avoid the amount IV - your understanding of the advanced skills 1. Preface 2. Prevent any tracking 3. Find and process all log files 4. Check the syslog settings and log files 5. Check the installed security program 6. Check the system administrator 7. How to fix the Checksum Check Software 8. Pay attention to some users Full trap (tricks?) 9. Other festival V - Once you are suspected to be a festival VI - when you are arrested, you should do the festival vii, some of the programs for hiding traces, VIII - In the last words, please read it carefully, start the brain. II. Mental >> Translator Note: This section is mainly to remind you to establish the correct "HACK";) - -------------------------------------------------- ------------------ Content: 1. Motivation 2. Why do you have to be cautious? How to be cautious 4. Keep cautious >> Translator Note: Paranoid It means "scholars", it may be that it is "careful"

Let's talk. * 1. Motivation * No matter what, the belief is always a key to success. It is your power source, it stimulates you to struggle, self-constraint, be careful and cautious and face reality, accurate estimate Risk, it can also make you don't like to do, but very important things (even if you want to swim now). If you don't motivate yourself to prepare important tools, wait for the right time to attack the target, then you will always Can't be a real HACKER. A successful and excellent HACKER must meet these requirements. It is like fitness and dieting - if you really try to do it, you can succeed. * 2. Why you have to be cautious * Of course, Be careful and can't make your life more happier. However, if you never do the worst plan, anything can knock down you, let you lose balance. What you are doing will let you take a lot of risks In your normal life, you don't need to worry about the police, thieves. But if you think about it from another, you have to know what you are giving trouble and nightmare - they want to stop you Although you don't think this is a crime. But when the police quickly arrested each person who might be involved, you will find a very tragic thing: you are guilty unless you can prove you nothing! Once you get one Hacker's "stitches", you will never remove it. Once you have a criminal record, you will be difficult to find a job. Especially without software companies, there is no software related to the computer, they will hire you, they will be afraid Your technology. You may have to immigrate ... Once you fall, you can get a few people again. Be careful! To protect yourself! Remember that you have got to lose! Never do additional The anti-tracking work is stupid! Never let others laugh at you too cautious! Never give up the modification of the log file because of too lazy or tiredness! A Hacker must be% 100 to complete his "work"! * 3. How can I be careful? If you read the above and what you think is right, then it is easy - you have become careful, but this must become part of your life, when you always It is to consider who tells you those things, considering your phone and email may have been monitored, it has become part of your life. If these can't help you, then think about you were arrested What happens. Your girlfriend will still stand here? Do you want to see your parents crying with you? Do you want to lose your dinner or a studio? Don't give this opportunity! If this still can't wake you From Hacking far away !!! For the entire Hacker society and your friends, you are a dangerous person! * 4. Keep cautious * I hope you understand why you are careful. So keep cautious. One Errors or lazy may completely destroy your life and things Industry. When doing something, you should remember what your motivation is. >> Translator Note: This part is to let you know what you are doing and your situation. If you don't want you to be bored >> Reporter Zi Jinle The topic of the road --- "Some man created a major hacker ...", then look more, think more about it. To know >>, you are the protagonist of this news and the news of others is not a I feel. >> So: modest and cautious, arrogance :-) III. Basic knowledge ----------------------------- ----------------------------------------- Content: 1. Preface 2. Self-safety 3. Don't leave traces 6. Don't leave traces 6. You should avoid things * 1. Preface * Before you start your first HACK, you should know these and do some exercises. These are very basic I don't know if you will have trouble soon. Even a very experienced HACKER can get some new tips. * 2. Self-safety * System administrator read your email? Your Did the phone have been listened by the police? The police didn't receive all the computers of all Hacking data? If you don't receive suspicious Email, you don't talk about Hacking / Phreaking topic in your phone, there is no sensitive and private data on your hard drive. You don't have to worry about the scenes above. But you are not a HACKER. Every Hacker and Phreaker keep in touch with others and save his data in a place. Encrypt all sensitive data !!! Online hard drive encryption The program is very important and useful: there are a lot of good free hard drive encryption programs upstream of the Internet. They are completely transparent to your operating system. The few software listed below is tested, and it is HACKER '.

The preferred tool: - If you use msdos, you can use SFS v1.17 or secondrive 1.4b - If you use amiga, you can use Enigmaii v1.5 - If you use UNIX, you can use CFS v1.33 >> Translator Note: You can consider EMF, iProtect ... file encryption software under Win9x: You can use any encrypted software, but it should be a well-known secure encryption mechanism. Never use the exit encryption program Their effective key length is shortened! - Triple des - Idea - Blowfish (32 rounds) Encrypt your email! - PGP v2.6.x is a good tool. If you want to discuss important things, encrypt you The phone. - Nautilus v1.5a is the best so far when you connect your terminal when you connect to a UNIX system. Some people may be Sniffing or monitor your phone line: - SSH is the safest - DES-login is also good >> Translator Note: - SSL Based on SSL Some software can also try a strong inquirable, not in any dictionary. It should look like random but easily memories. If the password can be more than 10 characters Longer, then use longer. You can draw a sentence from the book and be slightly modified. Please encrypt your HACKER friend's phone number twice. If you don't encrypt, you should call him from the public call. .. , Huh, use "Eleet" Hacker language, haxor = h4x0r >> So our password can be: I'mh4x0r (I am Hacker). I am probably only using violence. If you have a deep way to Hacking Understand, you should encrypt all things! Be a backup for your data, of course, put it first, put it in a hidden place, it is best not to be at home. So even if you are lost due to mistakes, fire or police search Data, you can also get backup data. Only when you really need them, you can put them more secure in a confidential file or encrypted partition. Once you don't need them, burn these paper. You You can also use only the encryption mechanism you know yourself, but don't tell anyone, don't use it frequently. Maybe it is easy to analyze and crack the truly calm and cautious hackers should consider implementing interference programs. Police , Spy, other Hacker can monitor your move. A support People with advanced equipment can get anything he wants: the electronic pulse of the computer can be intercepted from the distance outside 100 meters, and you can display your monitor screen, listen to your private conversation, and confirm the high keyboard tap. Frequency signal, etc. ... So the various possibilities are always existing. The low cost of low cost is to use electronic pulses to interfere with the transmitter. If you don't want to let >> Translator Note: I don't know us. There is no sale in the store.;

-) Anyone monitors you, I think these are not enough ... * 3. Your own account * Let us talk about your own account. It is your account you get in school / company / ISP, it is always Contact your real name, so you must never violate the following principles when using it: Never use your real account to do any illegal or troubles! Never try to Telnet from your real account to any Hacked host! Of course, you can subscribe to secure mailing lists with this account. But anything related to Hacking must be encrypted or destroyed immediately. Never save the Hacking or Security tool under your account. Try to use POP3 to join your mailserver download or Delete your email (if you are more familiar with UNIX, you can also download or delete the command directly to the POP3 port). Never leak your real email to people who don't trust you, just give you trust people, they It should also be a person who pays attention to safety issues, otherwise if they are arrested, the next is you (maybe they are the police, not Hacker.). When communicating with other Hacker, you must use PGP encryption because Administrators often peek at the user directory, even other people's email !! Other Hacker may also Hack your site and try to get your data. Never use your account to indicate you interested in Hacking! But don't get further. >> Translator Note: You can apply for a free mailbox when communicating with others, preferably foreign, such as Hotmail, pay attention to the best >> through proxy. Your trustbox should only use only To make a general normal communication, with friends / teacher / colleague ... * 4. log file * There are three important log files: WTMP - record each login, including login / exit time, terminal, login host IP UTMP - Online User Record LastLog - Of course, where is the user login, there are other logs, which will be discussed in "Advanced Skills". Each time you pass Telnet, FTP, RLOGIN, RSH will be recorded In these files. If you are Hacking, you can delete yourself from these records. Otherwise, they will: a) When you find you when you do hacking activity B) I found you from that site C) How long is your online time in order to calculate the losses you have caused by you definitely don't delete these log files !!! That is equal to the notification administrator: "Hey, there is a Hacker on your machine!". Find a good program to modify These log.zap (or ZA P2) is often considered to be the best but in fact it is not. It is just simple to fill the user's last login data. Cert has released a simple program to check these full data items. So This will make it easy to let people know that there is a HACKER in the event, so that all your work is meaningless. Another drawback of ZAP is that it does not report when it can't find the log file, so it is compiled Before you must first check the path! You should use programs that can change record content (like Cloark2.c) or programs that can really delete records (icon) >> Translator Note: THC provides Cleara.c, Clearb.c It is very easy to use clear tool. You can clear >> UTMP / UTMPX, WTMP / WTMPX, fix the last login information of the user still display the user's last login information (not >> is your login). If you find you login Last login information, that is likely to have already been HACK, of course, even if the correct information does not have to be modified, if you want to modify the log ;-) Generally, you must modify the log, you must be root (Some old version system exceptions, they set up utmp / wtmp to allow all people to write) but if you can't get root privilege -? How do you do it? You should rlogin to your host now, so that in LastLog Increases a data item that is not so fascinating, it will be displayed when the user is logged in next time, and if he sees "Last Sign in" last time, he will not doubt. >> Translator Note: This It is also a way to have a way, change me, I will doubt.;

Many Login commands of many UNIX systems have a bug. When you execute a login command after logging in, it will use your current terminal to rewrite the Login from section in UTMP (it shows where you come from!) So these Where is the Log file default? This depends on different UNIX versions. UTMP: / etc or / var / ADM or / USR / ADM or / USR / VAR / ADM or / VAR / LOG WTMP: / ETC or / VAR / ADM or / USR / ADM or / USR / VAR / ADM or / VAR / LOG LastLog: / usr / var / adm or / usr / adm or / var / adm or / var / log in some old UNIX version LastLog data Write $ home / .lastlog * 5. Don't leave traces * I have encountered a lot of Hacker, they deleted themselves from the log. But they forgot to delete some other things they left in the machine: The file shell in TMP and $ HOME records some shells will keep a History file (depending on the environment settings) to record the command you perform. This is really a bad thing for Hacker. The best choice is when you log in Start a new shell first, then find history records in your $ home. History file: sh: .sh_history csh: .history ksh: .sh_history bash: .bash_history zsh: .history >> Translator Note: * History One of my favorite documents, through it you can learn how root or users do, >> thus know how their level, if they only perform "LS", "PWD", "CP". .. That level of explanation is not Er, no need to be >> Too worry. But if you find Root like "Find / -Type F -Perm -04000 -EXEC LS -AL {} /;", ">>" Vim / Var / ADM / Messages, "PS -AUX (-elf)", "netstat -an" .... then you have to be careful about the backup file: dead.Letter, * .bak, * ~ Do it before you leave "ls -altr" see if you have anything left, don't leave, you can knock 4 csh commands, it can remove these historical documents when you leave, do not leave any traces. MV .logout save .1 echo Rm .history> .logout echo rm .logout >>. Logout echo mv save.1 .logout >>. logout >> Translator Note: For Bash, there is a simple way to perform "histfile =", it is not set Bash's historical document, >> This will not hate .bash_history. (Accurately said, do not write to $ home / .bash_history) >> Simple Kill -9 0 when exiting, It will kill all the processes generated after the login, BASH will not go to .Bash >> _history write * 6. You should avoid things * Don't be a Crack password not belonging to your machine. If you are in others ( For example, a university is broken, once root discovers your process, and check it. So not only your Hacking account can't keep it, you may even get the passwd file. The school will be close. Getting your one fell ... so you should crack on your own machine after you get the password file. You don't need to crack too much account, you can break a few more enough. If you run the attack / detection program YPX, ISS, SATAN or other Exploiting programs, should be renamed before performing them. Or you can modify the source code to change their name displayed in the list ... >> Translator Note: This is not difficult, you only in main () I will replace the name you like to display, such as Argv [0] >> =

"in.telnetd", argv [1] = "" ... (of course, after the program has been read from the Argv). If a careful user / root discovers 5 YPX programs in the background When you run, he will immediately understand what happened. Of course, if possible, do not enter the parameters in the command line. If the program supports interactive mode, like Telnet. You should first knock "Telnet", then "o Target.host.com". This will not display the target hostname in the process table. >> Translator Note: If you use FTP, it is best to do this: >> $ ftp -n >> $ ftp> o target.host >> Blahblah .. (Some connection information) >> Blahblah ... (ftp server version) >> FTP> user xxx >> .... If you have a system - do not put Suid Shell anywhere! It is best to install some Backdoor icon (ping, quota or login), correct the ATIME and MTIME of the file with FIX. >> Translator Note: Put Suid Shell is very stupid, very easy to be discovered by root. IV. Advanced Tips ------------------ -------------------------------------------------- -------------- Content: 1. Preface 2. Block any tracking 3. Find and process all log files 4. Check the syslog settings and log files 5. Check the installed security program 6. Check the system administrator 7. How to fix the checksum check software 8. Pay attention to certain users' security traps (tricks?) 9. Others * 1. Preface * Once you have installed the first Snifer to start your Hack career, you should know And use these techniques! Please use these techniques - otherwise your HACK trip will end. * 2. Prevent any tracking * Sometimes your Hacking event will be discovered. That is not a big problem - you have some Hacked some The site may be turned off, but whoever takes it, it is very dangerous if they try to track your way (usually to catch you), it is dangerous! This section will tell you that they track Your various possible methods and how you should deal with. * Never find that a Hacker is from where a hacker is coming from: check the log record (if the Hacker is really stupid); look Hacker installed Sniffer's output record (perhaps his connection is also recorded) or other system accounting software (like loginlo g and so on; even NetStat can display all the established network connections - if the Hacker is online, then he is discovered. This is why you need a Gateway Server? * What is Gateway Server? It is your "own"

One of many servers, you have already got its root permissions. You need root privileges to clear the log files of system records such as WTMP / LastLog / UTMP or other accounting software. In addition, you are not in this machine. Do anything else (it is just a transfer station). You should change the Gateway Server regularly, you can replace it every 1, 2 weeks, then no longer use the original Gateway Server in at least one month. This is hard to track Go to your Hacking Server. * Hackin Server - All active starting points starting from these machines Hacking.Telnet (or better: remote / rsh) to a Gateway Server, then go to a target machine. You need to have root privileges Modify log. You must replace Hacking Server. * Your fortress / dial-up host every 2-4 weeks. This is a critical point. One but they can track the machine that you dial, you will have trouble. Just Take a call to the police, then conduct a communication line tracking, your HACK activity will become history, maybe it is your future. You don't need to get root permissions in the fortress host. Since you are just via MODEM, there is no What must be modified. You should use a different account dial to enter, try to use those very few use. You should find at least 2 you can dial in the fortress, replace it every 1-2 months. >> Translator Note: I am not familiar with Phreak. I guess most of the domestic Hacker has nothing to escape from the Track of Telecommunications Bureau. So it is best not to use someone else's account, especially those who have rarely netup, once He >> I found that the Internet costs increased, will definitely let the telecommunications bureau to trace it, you will be more difficult. If you >> You use those people who are online, he will not pay attention, only think this month Too much >> Harm.: -) (This will definitely not encourage you to steal the accounts of others, this is equal to theft, why do you go online >> Do you want to pay for someone else? HACKER The reputation is the shameless thing to let these Hacker >> flags. I have to catch this kind of person! So I don't have any feelings about such phreaker, >> You have to have a matter, don't marry others, and Also let the Telecom Bureau can't find it.) Say more, let's go to the right. Note: If you can dial in different systems every day (such as through the Blue Box "), then you don't need those Hacking Server. * Use blue Box, so even if they track your fortress host, you can't (at least you can't easily) track your phone ... Blue box must be careful, Germany and the US telephone company has a special monitoring system to track people using blue box ... Use a middle system to transfer your phone will make the tracking more difficult, but because you use a PBX or What do you have in a danger of being caught. This depends on you. Note that all the phone data in Denmark is recorded! Even after 10 years of your phone, they can still prove that you have logged into them. Dialing System Engineering ... - Other If you want to run Satan, ISS, YPX, NFS file handle guess procedure .. You should use a dedicated server to complete. Do not use this server telnet / rlogin to the target server, Just use it to detect. Some programs can be bind to a special port, when a connection to this port is established, it automatically opens a port of another server (some simulate a shell, you You can "Telnet" to other machines from this socket daem). You will not be recorded using this program (except for firewall logs). There are many programs to help you complete the above features. >> Translator Note: This program I often use There is DataPipe.c, Telbounc.c, still very easy to use. It is like a >> proxy server, but there will be no records. :) If possible, Hacking Server or Gateway Server should be abroad! Because if yours Intrusion is discovered, most network management will give up tracing when you come from abroad, even if the police want to track you through different countries, this is at least 2-10 weeks ... # below is Hack Data from the process, maybe some help you ;-) -----

~ ---------------> ------------- --------- | - - |>> | | | | || Native || ->> Safety Dial Circuit> -> | Fort Host | -> | Hacking | | ----- |>> | At least 3) | | server | ------- ~ ---------------> ----------- --------- | | V ---------------- ------ ---- ------- | | | | | | | Host in the internal network | ... <- ... | Target Host | <- | Gateway | | | | | | | Server | - --------------- ------ ----------- * 3. Find and process all log files * It is important to find all Logfiles - even if they are hidden. To find them have two possible methods: 1) Find all open files. Since all Log must write to some place, so you can use it LSOF (List Open Files) Program to check all open files, you have to modify them if necessary. >> Translator Note: LSOF is written by vic abell to provide information that is opened by the process , >> Its latest version can be found under ftp://vic.cc.purdue.edu/pub/tools/unix/lsof. Fun >>, Someone discovered that there is buffer in the previous version of LSOF4.40 Overflow problem, you can get root >> privileges. :-) 2) Search all files with changes after you log in, perform "Touch / TMP / Check" after you log in, then you can do your live. Just do it Find / -newer / tmp / check -print, and check the found file. If there is a bill file, you should modify it. Note that all versions of Find supports -newer parameters. You can also use "Find / CTIME 0 -PRINT "or" Find / -Cmin 0 -Print "to find them. >> Translator Note: I prefer to use -EXEC ls -l {} /; instead of -print, because this can list more detailed Information. >> Note the above The method is mainly for system billing software, which may record the command you perform. For software that only login >> information, it has completed records before you see the shell prompt. So use this check is I can't find it. Check all the logfiles you found. They are generally in / usr / der, / var / ras or / var / log, / var / run. If they are recorded @loghost, then you may have a bit trouble. It is. You need a HACK loghost host to modify the log ... >> Translator Note: Generally simply useful machines to use the machine comparison HACK because it often turns off almost all ports, and only >> Allow from console Log in. For such a machine, you can use the DOS attack to make it awkward, thereby losing the log function. (To Hack >> is often more difficult, Crash IT is relatively easy. ;-) Of course, this login record will still be Save it. In order to deal with logs, you can use "grep -v" or use the number of wc statistics, and then use "TAIL -10 LOG" to view the last 10 lines, or editor VI, EMCAS. >> Translator Note: If you come from ABC, you can use grep -v "

ABC "logfile> logtemp; mv logtemp logfile; >> Clear all rows containing ABC. If the log file is relatively large, you can also use Vim to edit. >> Note this can only be used to modify the text file !!! For binary The modification of the file may cause the file format to be destroyed !!! If the data file is a binary format, you should first find what software is generated, then try to find the source code of the software, analyze the structure of the record item, and modify itself Record. (You can modify it with a ready-made program, such as Zap, Clear Cloak ...). If the system is installed, you can use zhart-clener - it is very effective! If you have to modify WTMP, But the system cannot compile the source program and there is no perl .... You can do this, first uuencode wtmp, then run VI, move to the last line, delete 4 lines starting with "M" ... and save exit .uudecode Then the last five WTMP records are deleted. ;-) Note that this is only valid under Sco UNIX, Linux is not working, >> Translator Note: I didn't verify this, because there is no SCO server. If you want Do this, remember to be a WTMP backup. If the system uses WTMPX and UTMPX, then you have trouble .. I have so far, I don't know which Cleaner program can handle them. You have to compile a program to complete your work. .. * 4. Check Syslog Configuration and Record * Most programs use the syslog function to record all what they need. Symposion is important. This profile is /etc/slog.conf - I will not tell Your format is what / everything means, you go to read it. The important syslog type is kern. *, Auth. * And authpriv. *. See where they are written If you are written to the file. If you are forwarded to other hosts, you must also have Hack. If the message is sent to a user, TTY or console. You can play a small flower to live a lot of fake news象 "echo 17:04 12-05-85 kernel sendmail [243]: can't resolve bla.bla.com> / dev / console" He wants flood's equipment), let it scroll to hide the information you triggered. These log files are very important! Check them! * 5. Check the installed security programs * Many stressed security sites pass CRON runs the security checkpro. CRONTABS is usually in / var / spool / cron / crontabs. Check all the files in the file, especially the "root" file, check what the program is running it. Use "crontab -l root"

You can quickly check the contents of root crontab. These security tools are often installed in administrators such as ~ / bin. These check software may be Tiger, COPS, SPI, Tripwire, L5, Binaudit, Hobgoblin, S3, etc. ... You must check what you have reported, see if they report some things that show your invasion signs. If yes, you can - update the software's data files, which no longer report this type of message. The software can be reprogrammed or modified to make them no longer generate reports. - If possible, delete the backdoor or other programs you install, and try to complete * 6. Check the system administrator * to understand the system Administrators have taken those safety measures. So you need to know which ordinary user accounts they often use. You can check the root .forward files and alias content. Take a look at the Sulog file, pay attention to users who succeed SU into root. Check the Wheel and Admin groups (or any other groups related to the administrator) in the Group file. You can also find admin in the Passwd file, maybe you can find an administrator account. Now you should already know this machine. Who is an administrator. Enter their directory (if the system does not allow root to read all files, use chid.c or changeid.c to turn your UID into the user), check their .history / .sh _history / .bash_history file See what command they often do. It should also be checked for their .profile /. login / .bash_profile file to see what Alias ​​has been set, do you perform an automatic security check or logGing program. Check them ~ / bin directory! In most cases, the compiled security program is put in it! Of course, look at each directory (ls -alr ~ /). If you find anything related to security, please read 5 The subthere is trying to bypass their safety protection. * 7. How to fix the Checksum Check Software * Some administrators are really afraid of Hacker, so they have installed some software to check the binary file. If a binaries are changed, the next administrator is a binary When checking, it will be detected. So how do you find the system to install this program, how to modify them so that you can implant your Trojan? Note that there are many binary checked programs, and write one It's really easy (15 minutes), you can do this with a small Script. So if such software is installed, it is more difficult to find them. Note Some common security checks also offer this check. Below are some software applications: Software Name Standard Path Binary File Name Tripwire: / USR / ADM / TCHECK, / USR / local / ADM / Tcheck: Databases , Tripwire Binaudit: / usr / local / adm / audit: Auditscan Hobgoblin: ~ user / bin: hobgoblin raudit: ~ user / bin: Raudit.pl L5: Compile location directory: L5 you have to understand there are many possibilities! This software or Databases may even be placed on a NFS partition that is not under MOUNT or on the NFS partition of other host Export. It is also possible that the checksum database is stored in a write-protected medium. All possibilities have! But general situation When you check if the above software is installed, you can change some binary files. If you don't find those software, but you know that this is a site that has perfect safety protection, you It should not be changed! They (binary check software) must have been hidden. If you find this software installed and you can modify them (such as not putting on read-only media, or can pass some ways Winding restrictions - such as umount, then re-Mount, you can do it? You have two options: First of all, you can only check the parameters of the software, and then execute a modified binaries " Update "Check. For example, use tripwire, you can perform" Tripwire -Update / Bin / Target "

The second way is that you can edit the binary list to be checked - remove the binary file name you changed from it. Note that you should also see if the database file itself will be checked! If yes - first Update Remove the database file name. * 8. Pay attention to certain users' security traps (tricks?) * This situation occurs less, which is mainly to be more complete. Some users (may be an administrator or HACKER) It is not used by others. So they sometimes take a little security in their launch files. So check all the files starting with "." (.Profile, .cshrc, .login, .logout Wait, see what they have implemented, do something, and how their search path is filmed. If a directory (such as $ home / bin) appears in front of / bin, you should check The content of that directory ... maybe it is installed "LS" or "W", which will first record the time being executed and then execute the real program may have some programs to automatically check if the wtmp and lastlog files are used. Have ZAP, check .rhosts, .xauthority file, or Sniffer is running ... Don't use a UNIX master account! * 9. Others * Finally, before discussing suspicion or arrested topics, There are still some other things worth causing attention. Old Telnet Client will export user variables. A system administrator who knows this can edit Telnetd so that all (through Telnet) User name. Once he noticed you, He can easily learn that you are from (remote host) which account HACK comes in. New client (client program) has solved this problem - but a smart administrator can still get other information To identify users: UID, mail, home variable, these variables are still export, which can easily identify which account for Hacker use. So before you do Telnet, remember to change user, uid, mail, and home variables, If you are in the home directory, you may even change the PWD variable. In the HP UNIX (version below V10), you can build a hidden directory. I don't mean those who have the "directory starting" but some have special signs. The catalog. HP launched it in the V9 version, but after the V10 version will remove (because only Hacker is using it ;-). If you perform "Chmod H Directory", the Directory directory cannot be used "ls -al" "List In order to see this hidden directory, you need to add a -h parameter for LS, for example: "ls -alh". Whenever you need to change the date of the file, remember that you can use "Touch"

The command sets ATIME and MTIME. You can only set CTIME through direct hard drives. If you have Sniffer installed in an important system, you must encrypt the output of Sniffer or let Sniffer send all intercepted data through ICMP or UDP. To an external host that is controlled. Why do you do this? Because this is even if the administrator discovers Sniffer (programs existing by CPM or other check Sniffer), they can't learn which things are learned from Sniff, so He can't help but remind the host that is being being being Sniff. V. When you are suspected ... -------------------------------------------------------------------------------------------------------- ------------------------------------------ once you are suspicious (by the police or Is a system administrator) You should take some special actions that they can't get adverse you evidence. Note: If the system administrator thinks you is a Hacker, you are guilty until you have proven to be innocent! These administrators are ignored What law (sometimes I think that Hacker and administrators only lies in that computer belongs to administrators). When they think you are a Hacker, you are guilty, no lawyers defend you. They will monitor you, you Mail, file, even record your keyboard (if they are tuned). When the police are involved, your phone line may also be monitored, and the search action may come with it. If you pay attention to you are being Doubt, you must keep a low-key! Don't take any attacks! It is best to wait for at least 1 to 2 months, nothing. Warning your friends don't send you any emails, or only some normal / no Harm mail. If you suddenly use PGP encrypted emails, this will remind the police and administrators that are monitoring - you find their monitoring. Cut off contact with Hacking, write some articles or editing procedures, etc. Everything has passed. And mainly encrypt your sensitive data, destroy all the sheets with account data, telephone numbers, etc. When the police searched you, those things are the most important thing they are looking for. Vi. Cashped - -------------------------------------------------- ------------------ Note That SMALL Chapter Covers Only THE Ethics and Basics and Hasn't got any references to current Laws - Because they a . Re different for every country Now we talking about the stuff you should / should not do once the feds visited you There are two * very * important things you have to do:.! 1) GET A LAWYER IMMEDEANTELY The lawyer should phone the Judge and Appeal Against the search warrant. this doesn '

t help much but may hinder them in their work. The lawyer should tell you everything you need to know what the feds are allowed to do and what not. The lawyer should write a letter to the district attorney and / or police to request the computers back as fast as possible because they are urgently needed to do business etc. As you can see it is very useful to have got a lawyer already by hand instead of searching for one after the raid. 2) NEVER TALK tO THE COPS! The feds Can't promise you, you'll get awownload! Only the District Attorney Has Got The Power to do this. The cops just want to get all information possible. so . if you tell them anything they'll have got more information from and against you you should * always * refuse to give evidence -. tell them that you will only talk with them via your lawyer Then you should make a plan with your lawyer how TO GET you out of this shit and reduce the damage. But Please Keep In Mind: DON ' betray your friends Do not tell them any secrets Do not blow up the scene If you do, that's a boomerang:... the guys & scene will be very angry and do revenge, and those guys who'll be caught because of your evidence will also talk ... and give the cops more information about * your * crimes! Note also that once you are caught you get blamed for everything which happened on that site. If you (or your lawyer) can show them that they Don't Have Got Evidences Against you for all those cased the might have trouble to keep the picture of what "evil Hacker" they'll try. if You can even code you couldn '

t do some of the crimes they accuse you for then your chances are even better. When the judge sees that false accuses are made he'll suspect that there could be more false ones and will become distrusted against the bad prepared charges against you. I get often asked if the feds / judge can force you to give up your passwords for PGP, encrypted files and / or harddisks. that's different for every country. Check out if they could force you to open your locked safe. If that's the case you should hide the fact that you are crypting your data Talk with your lawyer if it's better for you to stand against the direction to give out the password -!. maybe they'd get evidences which could you get into jail for many years (for german guys: THC-MAG # 4 will have got an article about the german law, as far as it concerns hacking and phreaking - that article will be of course checked by a lawyer to be correct Note that # 4 will only discuss germany and hence. Will BE in the German Language. But Non-Germ ANS, Keep Ya Head Up, this Will Be The First and Last German Only Magazine Release ;-) >> Translator Note: This section tells what if it is arrested, what should be done. Due to our law and the West, So I will not turn it. There is "I can see it yourself. The main two points are: 1. I will find a lawyer to handle this for you. 2. Don't tell the police >>

转载请注明原文地址:https://www.9cbs.com/read-5830.html

New Post(0)