Linux

Command History

It's a good idea to audit the .bash_history file for any suspicious or malicious commands.

history -c # Clear current session history
history -w # Write cleared to file

vi ~/.bash_history # Manual cleanup
shred -zu ~/.bash_history # Shred (extreme)

Logs

Make sure to clean logs with sed or grep.

# Remove all lines containing your IP "192.168.1.100" from auth.log
sed -i '/192.168.1.100/d' /var/log/auth.log

# Remove all lines containing the username "www-data"
sed -i '/www-data/d' /var/log/syslog

/var/log/utmp,wtmp,btmp # Binary logs
/var/log/apache2/access.log # Webserver logs

Filesystem

Filesystem timestamps can be modified to camoflauge changes.

# Set the access/modify time of a file to a specific date
touch -a -m -t 202301011200.00 /root/.ssh/authorized_keys

# Set it to match another file (e.g., make it look like it was always there)
touch -r /etc/passwd /root/.ssh/authorized_keys

PreviousAnti-Forensics NextXSS / CSRF

Last updated 2 months ago