This document has been written in response on how to read a hack log which is a linux file For the

the members of HacKeRS ArEnA

hack log -- All of your typed commands are saved in a history file named .bash_history, and once the system has been compromised and databases dumped, that history serves as a log of how the hack went down. As such, they are often released with notes and comments after such attack is performed ! i.e. U will get caught if u hack a linux server without knowing how to erase ur traces !!!! :D Now these r some of the commands that will hel[p u read hack logs more easily ---
Grep $ grep[options][pattern][file] Grep is a tool to search for strings in a file (and so much more). Let's say you just downloaded a huge password dump and you need to locate a specific account. Grep is your tool. You can also pipe and redirect output from one command into grep to narrow down the information you need. It then highlights the string on most distros. Perhaps you need to locate a specific Firefox process running, you could type: $ ps -e
And sift through the possibly long list it returns, or you can: $ ps -e | grep[string]

Notice the pipe operator | is placed between the commands in the order the data should travel.

Lsof $ lsof [string]

Lsof lists open files. This might seem rather lackluster, until you remember that everything is considered a file in Linux. You can see open TCP ports by using: $ lsof | grepTCP

Notice how useful grep and pipes are? This is also the same data from: $ lsof -i

HeadsandTails $head[file] $ tail [file] These two commands allow us to view the first (head) and last (tail) ten lines of the specified file(s).

Here, we took the sqlmap.conf file and printed out the first and last ten lines. Often, when you've rooted a box, you know the order or certain log files and configs. It ends up being much faster to read the output with these commands then to open a file up in vim.

Cat $ cat [options][file]

Cat is short for concatenate and it will print out a file to standard outputyour monitor in most cases.

This is useful if you need to view the contents of a small file quickly on the screen.

Top $ top
Top displays the running information of processes, uptime, and more. It's useful for seeing what's running when you're performing recon on a server.

While top is running, you can press the 'h' key to bring up a help screen with a list of commands, some of the more useful ones are: u[username] To display only the processes belonging to the user. Use + or blank to see all users. k[pid] Kill the process with pid. Let's take an example from the 2009 Astalavista hack by AntiSec. After exploiting their Light Speed HTTP daemon to get into the Apache account, they used a local privilege escalation exploit to gain root access. This is pretty much the end of the machine. Once someone has escalated their privileges to root, they own the box. They can install rootkits, keyloggers, bots, deface website, etc.

sh-3.2#rm-rf backup/ sh-3.2#rm-rf backup.14161/ sh-3.2#rm-rf ftp/ sh-3.2#rm-rf jon/ sh-3.2#rm-rf my/ sh-3.2#rm-rf mysqldata/ sh-3.2#rm-rf test/ sh-3.2#rm-rf tmp/ sh-3.2#cd~ sh-3.2#rmrf * sh-3.2#rmrf /var/log/ rm: cannot remove directory `/var/log//proftpd': sh-3.2# rm -rf /home/* ftp>cdastalavista.com 250 CWD command successful. ftp>ls-la [snip] ftp> mdelete* mysql>drop database astanet_membersystem; mysql>drop database com_contrexx; mysql>drop database com_contrexx2; mysql>drop database com_contrexx2_live; mysql>drop database ideapool; mysql>drop database yourmaster; mysql>drop database astanet_ads; mysql>drop database astanet_mailing_lists; mysql>dropdatabaseastanet_mediawiki; Basically, they did the following: 1. 2. 3. 4. 5. Delete the local website, scripts and pages. Delete the temp, test and logs. Delete the user folders.

Directory

not

empty

Connected to the FTP backup site and deleted the backups. Connected to the Database and dropped all the website database tables.

They removed any existence of this website.

In Closing
Looking over the commands and the order they were completed in will help make sense of what hacking really is. Hollywood and the media does a great job of

making it seem like it's a mere few clicks of a mouse, a bunch of scrolling text, and some nefarious looking teenager saying "were in". If you read over the hack logs, you might have noticed a lot of the work involved was actually on the databases