02_로그보안_03_URL_리눅스로그지우기

http://kopil.tistory.com/m/post/10
==================================

 

공격 해서 site 권한
-> user01
-> root

# who (utmp)
# last (wtmp)

 

https://w2.eff.org/Net_culture/Hackers/hacking.faq
===================================================
-> 위 URL 문서 내용 중 아래 부분을 참고

-----------------------------------------------------
11. How do I erase my presence from the system logs?

Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text
files that can be edited by hand with vi, you must use a program
specifically written for this purpose.
........
-----------------------------------------------------

 

 

 

http://h30499.www3.hp.com/t5/System-Administration/Cleaning-up-utmp-wtmp-btmp-utmpx-wtmpx-and-maintaining-integrity/td-p/3622090#.VCTula0cSM8
=========================================================
-> 위 URL 중 아래 내용 참고

-----------------------------------------------
Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity 
.
.....

If you null these files then the commands will not return any values. The commands (such as 'who' or 'last') would still work but the files are 0 bytes.

A reboot is not required after null'ing the files.

Save off an ASCII version of the file(s). Then null the file. Issue the who or last command - the output should be nothing.

Convert the ASCII file back to binary format then issue the who or last command. Should get the output as expected as there is now data is these file(s)

wtmp - a system audit file
Stores the LAST info
Stored in BINARY format
 to convert to ASCII, /usr/sbin/acct/fwtmp -X < wtmps > wtmps.rdg
 this will store the data in ASCII format in the wtmps.rdg file
 to convert to binary, usr/sbin/acct/fwtmp -ic < wtmps.rdg > wtmps
-----------------------------------------------

 

http://en.wikipedia.org/wiki/Utmp
=====================================