Skip main navigation

A cyber hacker’s toolkit: hiding

After a cyber-attack, there will be traces of the activity in the system log files. These need to be removed to hide the attack.
Image of hand in keyboard in the dark
© Deakin University

After a cyber attack, there will be traces of the activity in the system log files. These need to be removed to hide the attack.

After accessing your system, a hacker will try to remove evidence that they have been there. That evidence is found in the system log files that keep track of general activity and login attempts. Most web servers use the Linux operating system as it’s considered more stable and secure than other operating systems, so in this demonstration we will focus on removing logs in a Linux system.

Finding the log files

The log files are stored in the /var/log directory.

Screenshot of /var/log directory

Inside this directory are the key log files we need to consider:

  • /var/log/messages – general system activity
  • /var/log/secure – authentication and authorisation privileges
  • /var/log/lastlog – recent logins
  • /var/log/faillog – failed logins

Why are these files so important?

These files keep track of what activity has happened in the system. In particular, the lastlog and faillog files can hold key evidence about who has logged in or tried to log in to the system, and include timestamps for the activity so you know when something has happened. A hacker has two options here: they can spend copious amounts of time looking for and deleting events related to the hack, or do it quickly by erasing all entries. Deleting all the entries is the usual approach.

What can you look for?

Because a hacker is likely to focus on these four files as a means to remove their footsteps after they have conducted the attack, you can monitor these files for abnormal behaviour. If you suspect an attack has occurred, you or your system administrator can analyse these files to see if they have been tampered with or wiped clean. The files being wiped clean is an indication that a hacker has been in your system.

Your task

Think about whether anyone in your organisation has the ability to check the key log files. Share your thoughts on how you could monitor these files.

© Deakin University
This article is from the free online

Cyber Security for Small and Medium Enterprises: Identifying Threats and Preventing Attacks

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education