Skip main navigation

New offer! Get 30% off your first two months of Unlimited. Subscribe for just £35.99 £24.99. New subscribers only. T&Cs apply.

Find out more

A cyber hacker’s toolkit: hiding

After a cyber-attack, there will be traces of the activity in the system log files. These need to be removed to hide the attack.
Image of hand in keyboard in the dark
© Deakin University

After a cyber attack, there will be traces of the activity in the system log files. These need to be removed to hide the attack.

After accessing your system, a hacker will try to remove evidence that they have been there. That evidence is found in the system log files that keep track of general activity and login attempts. Most web servers use the Linux operating system as it’s considered more stable and secure than other operating systems, so in this demonstration we will focus on removing logs in a Linux system.

Finding the log files

The log files are stored in the /var/log directory.

Screenshot of /var/log directory

Inside this directory are the key log files we need to consider:

  • /var/log/messages – general system activity
  • /var/log/secure – authentication and authorisation privileges
  • /var/log/lastlog – recent logins
  • /var/log/faillog – failed logins

Why are these files so important?

These files keep track of what activity has happened in the system. In particular, the lastlog and faillog files can hold key evidence about who has logged in or tried to log in to the system, and include timestamps for the activity so you know when something has happened. A hacker has two options here: they can spend copious amounts of time looking for and deleting events related to the hack, or do it quickly by erasing all entries. Deleting all the entries is the usual approach.

What can you look for?

Because a hacker is likely to focus on these four files as a means to remove their footsteps after they have conducted the attack, you can monitor these files for abnormal behaviour. If you suspect an attack has occurred, you or your system administrator can analyse these files to see if they have been tampered with or wiped clean. The files being wiped clean is an indication that a hacker has been in your system.

Your task

Think about whether anyone in your organisation has the ability to check the key log files. Share your thoughts on how you could monitor these files.

© Deakin University
This article is from the free online

Cyber Security for Small and Medium Enterprises: Identifying Threats and Preventing Attacks

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now