Using shell scripts to control, destroy, or get anything on a Linux server, hackers can gain tremendous value through some clever attack methods, but most attacks leave behind. Of course, these traces can also be hidden by methods such as shell scripts.
Finding evidence of the attack begins with the traces left by the attacker, such as the date the file was modified. Each file in each Linux file system holds a modification date. When the system administrator finds the file's recent modification time, it prompts them that the system is under attack and takes action to lock the system. Fortunately, however, the modification time is not an absolutely reliable record. The modification time itself can be spoofed or modified. By writing a shell script, an attacker can automate the process of backing up and restoring the modification time.
Steps
Step 1: View and manipulate the timestamp
Most Linux systems include tools that allow us to quickly view and modify timestamps, the most influential of which is "Touch", which allows us to create new files, update files/filegroups for the last time "touched".
Touch file
If the file does not exist, running the above command will create a new file named "file"; if it already exists, the command will update the modification date to the current system time. We can also use a wildcard, such as the string below.
Touch *
This command will update the timestamp of each file in the folder it is running. After creating and modifying a file, there are several ways to view its details. The first one uses the "stat" command.
Stat file
Running stat returns some information about the file, including access, modification, or update timestamps. For a batch of files, use the ls parameter to view the timestamp of each file. Use "-l" or "long". This command will list the file details, including the output timestamp.
Ls –l
Now you can set the current timestamp and view the timestamp that has been set. You can also use touch to define a custom timestamp. Use the "d" flag to define the date in yyyy-mm-dd format, followed by the time. Hours, minutes and seconds are as follows:
Touch -d"2001-01-01 20:00:00" file
Confirm the modification information with the ls command:
Ls -l file
This method is useful for modifying individual timestamps. This method is not very effective for hiding traces of operations on the server. You can use a shell script to automate the process.
Step two: Organize the shell script
Before you start writing a script, you need to think about what you need to do. In order to hide the trace on the server, the attacker needs to write the original timestamp of the folder to a file, and can return to the original file after we make any modification settings.
These two different functions are triggered based on the user's input or parameters, the script will perform the corresponding functions according to these parameters, and we need a way to handle the error. There are three possible actions that will be performed based on the user's input:
No parameters - return an error message;
Save timestamp tag - save the timestamp to a file;
Restore timestamp tag—Restores the timestamp of the file based on the savelist.
We can use nested statement if/or statements to create scripts, or assign each function to its own "if" statement based on criteria, optionally starting to write scripts in a text editor or nano.
Step 3: Start the script
Start nano from the command line and create a script called "timestamps.sh" with the following command:
Nano timestamps.sh
Then proceed with the following command:
#!/bin/bashif [$# -eq 0];thenecho “Use asave (-s) or restore (-r) parameter.â€exit 1fi
Press Ctrl + O in nano to save the file and mark it as a runnable script with the chmod command.
Chmod +x timestamps.sh
Then run the script to test the function of returning an error message when there is no parameter. If the script returns our echo statement, we can proceed to the next condition.
./timestamps.sh
Step 4: Write the timestamp to the file
Define the condition of the if statement, "-s" means to perform the save function:
If [$1 ="-s"] ; thenfi
Of course, you need to check if the timestamp file saved by the plan exists. If it exists, we can delete it (the file named timestamps) to avoid duplicate or incorrect input. Use the following command:
Rm -f timestamps;
Then use the "ls" command to list all the files and their modification time, which can be output to another program, such as sed, to help us clean up this input later.
Ls –l
The following display results usually appear:
-rw-r--r-- 1 user user 0 Jan 1 2017 file
In order to save the timestamp, we only need the year, month, day and file name. The following command can clear the information before "Jan":
Ls -l file | sed 's/^.*Jan/Jan/p'
This shows the information we need for the program, just need to modify the month format to a number format:
Ls -l file | sed 's/^.*Jan/01/p'
Replace all months with numbers:
Ls -l | sed -n 's/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^.*Apr/04/ p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p;s/^. *Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;'
Running in a folder we will see the results shown below:
The output is then sent via ">>" to a file named "timestamps":
Do echo $x | ls -l | sed -n 's/^.*Jan/01/p;s/^.*Feb/02/p;s/^.*Mar/03/p;s/^. *Apr/04/p;s/^.*May/05/p;s/^.*Jun/06/p;s/^.*Jul/07/p;s/^.*Aug/08/p ;s/^.*Sep/09/p;s/^.*Oct/10/p;s/^.*Nov/11/p;s/^.*Dec/12/p;' >> timestamps
At this point, the first two operations of the script are completed, and the results are as follows:
The test script can be marked with "-s" below, and the saved information can be checked with cat:
./timestamps.sh –scat timestamps
Step 5: Restore the timestamp of the file
After saving the original timestamp, you need to restore the timestamp so that others are not aware that the file has been modified. Use the following command:
If $1 = "-r" ; thenfi
Then use the following command to forward the contents of the text file and run it line by line:
Cat timestamps |while read linedodone
Then allocate some variables to make the use of file data easier:
MONTH=$(echo $line | cut -f1 -d ); DAY=$(echo $line| cut -f2 -d );FILENAME=$(echo $line | cut -f4 -d );YEAR=$(echo $line | cut -f3 -d )
Although these four variables are consistent in the saved timestamp file, if the timestamp occurred in the past year, it will only display the time instead of the year. If we need to determine the current year, we can assign it as the year in which the script was written, or we can return the year from the system, and use the cal command to view the calendar.
Then retrieve the first line and only display the year information you want:
CURRENTYEAR=$(cal | head -1 | cut -f6- -d | sed 's/ //g')
After defining all variables, you can use the "if else" statement to update the timestamp of the file based on the formatted date, using the touch syntax:
Touch -d "2001-01-01 20:00:00" file
Since each time contains a colon, you can use the following "ifelse" statement to complete the operation, as shown in the following figure:
If [ $YEAR == *:* ]; thentouch -d $CURRENTYEAR-$MONTH-$DAY $YEAR:00 $FILENAME;elsetouch -d ""$YEAR-$MONTH-$DAY"" $FILENAME;fi
Step 6: Use the script
The commands used are mainly the following:
./timestamps.sh –s save file timestamp touch -d “2050-10-12 10:00:00′′ * Modify all file timestamps under the directory ls –a Confirm the modified file./timestamps.sh –r restore File raw timestamp
Finally, you can run "ls -a" again to check whether the timestamp of the file is consistent with the timestamp of the previous backup. The entire script is executed, as shown in the following figure:
to sum up
This script is only used to remove some traces left after attacking the server. In order to hide the traces, hackers must carefully consider each method used when implementing specific attacks against the server, and how to hide their traces after hacking the server.
Through the above introduction, we learned that timestamps are also "lie", so system administrators must be aware that many of their logs and protections can be manipulated, although it seems that there are no exceptions.
Elevator Inverter,Frequency Inverter For Lift,Frequency Inverter For Elevator,Ac Drive For Elevator
Zhejiang Kaimin Electric Co., Ltd. , https://www.ckmineinverter.com