logtamper version1.1
logtamper是一款*修改*linux日志的工具,在修改日志文件的同時,能夠保留被修改文件的時間信息(atime沒改,覺得沒必要)。
[root@localhost logtamper]# ./logtamper-static
Logtamper v 1.1 for linux
logtamper [-f utmp_filename] -h username hostname hide username connected from hostname
logtamper [-f wtmp_filename] -w username hostname erase username from hostname in wtmp file
logtamper [-f lastlog_filename] -m username hostname ttyname YYYY[:MM[:DD[:hh[:mm[:ss]]]]] modify lastlog info
-f 選項:用於指定要修改的文件的路徑的,是個可選項。由於不同系統的日志存放路徑不一樣,可以手工指定。
默認的日志存放地點是:
#define UTMPFILE "/var/run/utmp"
#define WTMPFILE "/var/log/wtmp"
#define LASTLOGFILE "/var/log/lastlog"
-h 選項: 有時候你和管理員同時在線,管理員w一下就能看到你了。使用-h選項用戶躲避管理員w查看,如下:
[root@localhost logtamper]# w
21:27:25 up 5 days, 13:48, 4 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - Fri14 18:24m 0.33s 0.33s -bash
root pts/3 192.168.80.1 21:21 6:22 0.04s 0.04s -bash
root pts/2 192.168.80.1 21:06 0.00s 0.13s 0.00s w
root pts/4 192.168.80.1 21:21 5:52 0.03s 0.03s -bash
我們是從192.168.80.1機器連上來的,現在隱藏下:
[root@localhost logtamper]# ./logtamper-static -h root 192.168.80.1
Logtamper v 1.1 for linux
Copyright (C) 2008 by xi4oyu <
[email protected] >
Seems you're invisible Now...Check it out!
[root@localhost logtamper]# w
21:27:46 up 5 days, 13:48, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - Fri14 18:24m 0.33s 0.33s -bash
[root@localhost logtamper]#
-w 選項:用於清除你的登錄日志,現在上的linux日志清除工具做的很粗燥啊,這個可以指定清除某些hostname過來的機器。
[root@localhost logtamper]# last
root tty1 Wed Oct 1 21:30 - 21:30 (00:00)
root pts/4 192.168.80.1 Wed Oct 1 21:21 still logged in
root pts/3 192.168.80.1 Wed Oct 1 21:21 still logged in
wtmp begins Wed Oct 1 06:01:46 2008
清除192.168.80.1的登錄日志:
[root@localhost logtamper]# ./logtamper-static -w root 192.168.80.1
Logtamper v 1.1 for linux
Copyright (C) 2008 by xi4oyu <
[email protected] >
Aho,you are now invisible to last...Check it out!
[root@localhost logtamper]# last
root tty1 Wed Oct 1 21:30 - 21:30 (00:00)
wtmp begins Wed Oct 1 06:01:46 2008
[root@localhost logtamper]#
-m 選項:用於修改上次登錄地點,我們使用ssh登錄的時候可能會注意到這點
login as: root
Sent username "root"
[email protected] 's password:
Last login: Wed Oct 1 21:31:40 2008 from 192.168.80.45
[root@localhost ~]#
如果不修改lastlog的話,管理員下次登錄就會提示從我們的機器IP登錄。使用-m選項可以編輯這個選項:
[root@localhost logtamper]# ./logtamper-static -m root 1.2.3.4 tty10 2008:1:1:1:1:1
Logtamper v 1.1 for linux
Copyright (C) 2008 by xi4oyu <
[email protected] >
Aho, now you never come here before...Check it out!
[root@localhost logtamper]#