A cyber hacker’s toolkit: hiding

After a cyber attack, there will be traces of the activity in the system log files. These need to be removed to hide the attack.

After accessing your system, a hacker will try to remove evidence that they have been there. That evidence is found in the system log files that keep track of general activity and login attempts. Most web servers use the Linux operating system as it’s considered more stable and secure than other operating systems, so in this demonstration we will focus on removing logs in a Linux system.

Finding the log files

The log files are stored in the /var/log directory.

Inside this directory are the key log files we need to consider:

• /var/log/messages – general system activity
• /var/log/secure – authentication and authorisation privileges
• /var/log/lastlog – recent logins
• /var/log/faillog – failed logins

Why are these files so important?

These files keep track of what activity has happened in the system. In particular, the lastlog and faillog files can hold key evidence about who has logged in or tried to log in to the system, and include timestamps for the activity so you know when something has happened. A hacker has two options here: they can spend copious amounts of time looking for and deleting events related to the hack, or do it quickly by erasing all entries. Deleting all the entries is the usual approach.

What can you look for?

Because a hacker is likely to focus on these four files as a means to remove their footsteps after they have conducted the attack, you can monitor these files for abnormal behaviour. If you suspect an attack has occurred, you or your system administrator can analyse these files to see if they have been tampered with or wiped clean. The files being wiped clean is an indication that a hacker has been in your system.

Your task

Think about whether anyone in your organisation has the ability to check the key log files. Share your thoughts on how you could monitor these files.