Removing /var
routingbyrumor
Member Posts: 93 ■■□□□□□□□□
Hi this question relates to security. If someone gained access into my system and deleted a file could he/she clear the tracks left behind by just removing files such as /var/log/secure or /var/log/messages? or maybe just wipe the entire /var directory out all together.
Comments
-
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Well, if your logs are gone, you know you've been owned. Not too familiar with linux, but wouldn't he/she need root access to do this anyway?
At that point, it's a little late to be checking your logs for intruders as he/she has probably already installed a root kit that will cause commands like ps to only show you what he wants you to see, a back door allowing access if you do find out someone has hacked you, and run a crack on all your existing user accounts (/etc/passwd and /shadow). In other words, if he can delete your logs you are probably too late.All things are possible, only believe. -
routingbyrumor
Member Posts: 93 ■■□□□□□□□□
Thanks for the reply, I didn't think about the root kit, once root is compromised so is the entire system. However, I was wondering if there was a way to track down the steps that the intruder took? Somewhat like reverse engineering the steps they took to break in and do what the did, however since the logs are gone this probably won't be possible.
-
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
That depends....
Do you have a firewall or border router that is logging traffic? How about backups from early in the intruders process of hacking the system, but before he got in? How do those logs look, compared to the modified logs? What network events can you correlate around the compromise? Are there failed attempts to exploit other machines on the network that may be related? These are all things that take an expert forensic technician to sort out, but many times things that you and I may miss will be seen by a trained eye.
Keatron, your comments please?All things are possible, only believe.