How to Cover your Tracks and Remain Safe
HOW TO COVER YOUR TRACKS
PART ONE: THEORY & BACKGROUND
I. INTRODUCTION
II. MENTAL
III. BASICS
IV. ADVANCED
V. UNDER SUSPECT
VI. CAUGHT
VII. PROGRAMS
VIII. LAST WORDS
I. INTRODUCTION
———————————————————————-
the contents of this document is important …
NOTE: This text is split into TWO parts.
The first one,, teaches about the background and theory.
The second just shows the basics in an easy step-by-step
procedure what to type and what to avoid.
If you are too lazy to read this whole stuff here
then read that one. It’s main targets are novice Unix hackers.
If you think, that getting the newest exploits fast is the most important
thing you must think about and keep your eyes on – you are wrong.
How does the best exploit help you once the police have seized your
computer, all your accounts closed and everything monitored?
Not to mention the warrants etc.
No, the most important thing is not to get caught.
It is the FIRST thing every hacker should learn, because on many
occasions, especially if you make your first hacks at a site which
is security conscious because of many break-ins, your first hack can
be your last one (even if all that lays back a year ago “they” may
come up with that!), or you are too lazy to change your habits
later in your career.
So read through these sections carefully!
Even a very skilled hacker can learn a bit or byte here.
So this is what you find here:
Section I – you are reading me, the introduction
Section II – the mental things and how to become paranoid
1. Motivation
2. Why you must become paranoid
3. How to become paranoid
4. Stay paranoid
Section III – the basics you should know BEFORE beginning hacking
1. Preface
2. Secure Yourself
3. Your own account
4. The LOGs
5. Don’t leave a trace
6. Things you should avoid
Section IV – the advanced techniques you should take a notice of
1. Preface
2. Prevent Tracing of any kind
3. Find and manipulate any log files
4. Check the syslog configuration and logfile
5. Check for installed security programs
6. Check the admins
7. How to “correct” checksum checking software
8. User Security Tricks
9. Miscellaneous
V – what to do once you are under suspect
VI – the do and don’t when you got caught
Section VII – a short listing of the best programs for hiding
Section VIII- last words, the common bullshit writers wanna say
So read carefully and enlighten yourself.
II. MENTAL
———————————————————————-
CONTENTS: 1. Motivation
2. Why you must become paranoid
3. How to become paranoid
4. Stay paranoid
* 1. MOTIVATION *
The mental aspect is the key to being successful in anything.
It’s the power to motivate yourself, fight on if it hurts,
being self-disciplined, paranoid & realistic, calculating risks
correctly and do stuff you don’t like but is important even
if you’d like to go swimming now.
If you can’t motivate yourself to program important tools,
wait for the crucial time to hit the target, then you’ll never
get anywhere with your “hacks”
A successful and good hacker must meet these mental requirements.
It’s like doing bodybuilding or a diet – you can learn it
if you really try.
EVEN THE BEST KNOWLEDGE WON’T HELP YOU UNTIL YOU ARE REALLY
CONCERNED TO DO THE PREVENTIONS AND ACTUAL MAKE THEM!
* 2. WHY YOU MUST BECOME PARANOID *
It’s right that normally being paranoid is not something which
makes your life happier.
However if you aren’t expecting the worst, anything can hit you and
throw you off balance. And you are risking very much with your doings.
In your normal life, you don’t need to worry much about cops, thieves, and they’re like. But if you are on the other side remember that you make
other people a hard life and bring them nightmares plus work – and
they want to stop you.
Even if you don’t feel like committing a crime – you actually do.
Hacker-Witchhunting pops up fast and gets everyone who might be involved.
It’s the sad thing: YOU ARE GUILTY UNTIL PROVEN OTHERWISE!
Once you’ve got the stigma of being a hacker you’ll never get it off.
Once having an entry in your police record it’s very hard to find a job.
Especially no software company, even no computer-related company will
ever hire you, they will be afraid of your skills, and you will see
yourself being forced to emigrate or your life lost.
Once you fall down only a few can get up again.
Become paranoid!
Protect yourself!
Remember you have got everything to lose!
feel silly doing THAT extraordinary action against tracing!
Never bother if someone laughs on your paranoid doing!
Never be too lazy or tired to modify the logs!
A hacker must do his work 100%!
* 3. HOW TO BECOME PARANOID *
If you’ve read the part above and you think that’s true, it’s easy –
you’ve got already become paranoid. But it must become a substantial
part of your life. If you made it becoming a good hacker always think
about whom to tell what, and that your phone calls and emails might be
monitored. Always reread the section above.
If the above didn’t help you, then think about what happens if
you are caught. Would your girlfriend stay at your side? Even if
her father speaks a hard word? Do you want to see your parents cry?
Thrown from your school/university/job?
Don’t give this a chance to happen!
If even this is not enough to motivate you:
KEEP AWAY FROM HACKING!
You are a danger to the whole hacking society and your friends!
* 4. STAY PARANOID *
I hope you learned now why it is important to become paranoid.
So stay paranoid. One mistake or lazy moment could ruin
your life or career.
Always remember the motivation to do it.
III. BASICS
———————————————————————-
CONTENTS: 1. Preface
2. Secure Yourself
3. Your own account
4. The LOGs
5. Don’t leave a trace
6. Things you should avoid
* 1. PREFACE *
You should know this and practice it before you start your first hack.
These are the absolute basics, without them you are in trouble soon.
Even an experienced hacker can find a new hint/info in here.
* 2. SECURE YOURSELF *
if a SysAdmin reads your email?
What if your phone calls are recorded by the police?
What if the police seize your computer with all your hacking data on it?
If you don’t receive suspicious emails, don’t talk about hacking/phreaking
on the phone, and haven’t got sensitive/private files on your hard disk
then you don’t need to worry. But then again you aren’t a hacker.
Every hacker or phreaker must keep in touch with others and have got
his data is saved somewhere.
Crypt every data which is sensitive!
Online-Harddisk-Crypter is very important and useful:
There are good harddisk crypters free available on the internet, which
behave fully transparent to your operating systems, i.e. the packages
listed below are tested and were found to be a hacker’s first choice:
– If you use MS-DOS get SFS v1.17 or SecureDrive 1.4b
– If you use Amiga get EnigmaII v1.5
– If you use Unix get CFS v1.33
File Crypters: You can use any, but it should use one of the well-known
and secure algorithms. NEVER use a crypting program that can be
exported because their effective key lengths are reduced!
– Triple DES
– IDEA
– Blowfish (32 rounds)
Encrypt your emails!
– PGP v2.6.x is used most so use it too.
Encrypt your phone if you want to discuss important things.
– Nautilus v1.5a is so far the best
Encrypt your terminal sessions when connected to a Unix system.
Someone might be sniffing, or monitoring your phone line.
– SSH is the so far most secure
– DES-Login is fine too
Use strong passwords, non-guessable passwords which are not mentioned
in any dictionary. They should seem random but good to remember for
yourself. If the key length is allowed to be longer than 10 chars,
use that, and choose a sentence from a book, slightly modified.
Please crypt the phone numbers of hacker friends twice. And call them from
payphones/office phones/etc. only, if you don’t encrypt the conversation.
The beginner only needs PGP, a decrypter, and an online-harddisk-crypter.
If you are really deep into hacking remember to encrypt everything.
Make a backup of your data (Zip-Drive, other hard disks, CD, Tape),
encrypted of course, and store it somewhere which doesn’t belong to any
computer-related guy or family member and doesn’t belong to your house.
So if a defect, fire, or fed raid occurs you got a backup of your data.
Keep written notices only as long as you really need them. No longer.
Keeping them in an encrypted file or on an encrypted partition is much
more secure. Burn the papers once you don’t need them anymore.
You can also write them down with a crypt algorithm which only you
know of, but don’t tell others and don’t use it too often or it can be
easily analyzed and broken.
Really hardcore or ultra-paranoid hackers should consider too the
TEMPEST Project. Cops, furthermore spies, and hackers could monitor all your
doings. A well-equipped man could have *anything* he wants :
Electronic pulse emanation can be caught from more than 100 meters
away and show your monitor screen to somebody else, a laser point to
your window to hear private conversations or identify a frequency
signals of keyboard clicks … so possibilities are endless
Lowcost prevention can be done by electronic pulse jammers and
there like which become available on the public market, but I don’t
think this is secure enough to keep anyone dedicated away.
* 3. YOUR OWN ACCOUNT *
So let’s talk about your own account. This is your real account you
got at your school/university/job/provider and is associated with
your name.dont forget to fail these rules:
do any illegal or suspicious things with your real accounts!
Never even try to telnet to a hacked host!
Security mailing lists are okay to read with this account.
But *everything* which *seems* to have to do with hacking must be
either encrypted or be deleted as once.
Never leave/save hacking/security tools on your account’s hard disk.
If you can furthermore, use POP3 to connect to the mail server and get+delete your
email (or do it in another way if you are experienced enough using Unix)
Never give out your real email if your real name is in your furthermore .plan file
and/or geco field (remember the EXPN command from Sendmail …)
Give it only to guys who you can trust and are also security conscious,
because if they are caught you may follow (or if it’s a fed, not a hacker)
Exchange emails with other hackers only if they are encrypted (PGP)
SysAdmins OFTEN snoop user directories and read others’ emails!
Or another hacker might hack your site and try to get your stuff!
Never use your account in a way that shows interest in hacking.
Interest in security is okay but nothing more.
* 4. THE LOGS *
There are 3 important log files:
WTMP – every log on/off, with login/logout time plus try and host
UTMP – who is online at the moment
lastlog – where did the logins come from
there exist others, but those will be discussed in the advanced section.
Every login via telnet, ftp, rlogin and on some systems rsh are written
to these logs. It is VERY important that you delete yourself from those
logfiles if you are hacking because otherwise they
a) can see when did you do the hacking exactly
b) from which site you came
c) how long you were online and can calculate the impact
NEVER DELETE THE LOGS! It’s the easiest way to show the admin that
a hacker was on the machine. Get a good program to modify the logs.
ZAP (or ZAP2) is often mentioned as the best – but in fact, it isn’t.
All it does is overwrite the last login data of the user with zeros.
CERT already released simple programs which check for those zeroed
entries. So that’s an easy way to reveal the hacker to the admin too.
He’ll know someone hacked root access and then all your work was worthless.
Another important thing about zap is that it doesn’t report if it can’t
find the log files – so check the paths first before compiling!
Get either a program that CHANGES the data (like CLOAK2) or a really
good one which DELETES the entries (like CLEAR).
Normally you must be root to modify the logs (except for old distributions
which have got utmp and wtmp world-writable). But what if you didn’t
make it hacking root furthermore – what can you do? Not very much :
Do a login to the computer you are on, to add a new unsuspicious LASTLOG
data which will be displayed to the owner when he logs on next time.
So he won’t get suspicious if he sees “localhost”.
Many Unix distributions got a bug with the login command. When you
execute it again after you logged already on, it overwrites the
login-from field in the UTMP (which shows the host you are coming
from!) with your current tty.
Where are these log files by default located?
That depends on the Unix distribution.
UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log
on some old unix dists the lastlog data is written into $HOME/.lastlog
* 5. DON’T LEAVE A TRACE *
I encountered many hackers who deleted themselves from the logs.
But they forgot to erase other things they left on the machines :
Files in /tmp and $HOME
Shell History
It should be another as your current login account uses.
Some shells leave a history file (depends on environment configuration)
with all the commands typed. That’s very bad for a hacker.
The best choice is to start a new shell as your first command after
logging in, and checking every time for a history file in your $HOME.
History files :
sh : .sh_history
csh : .history
ksh : .sh_history
bash: .bash_history
zsh : .history
Backup Files :
dead.letter, *.bak, *~
In other words: do an “ls -altr” before you leave!
Here’re 4 csh commands which will delete the .history when you log
out, without any trace.
mv .logout save.1
rm .history>.logout
echo rm .logout>>.logout
echo mv save.1 .logout>>.logout
* 6. THINGS YOU SHOULD AVOID *
Don’t crack passwords on another machine than your own, and then
only on a crypted partition. If you crack them on an e.g. university
and the root sees your process and examines it not only your hacking
the account is history but also the site from which the password file is
and the university will keep all eyes open to watch out for you.
Download/grab the password data and crack them on a second computer or
in a background process. furthermore, You don’t need many cracked accounts, only a few.
If you run important programs like ypx, iss, satan or exploiting
programs then rename them before executing or use the small common
source to exchange the executed filename in the process list … ever
security-conscious user (and of course admin) knows what’s going on
if he sees 5 ypx programs running in the background …
And of course if possible don’t enter parameters on the command line
if the program supports an interactive mode, like telnet.
Type “telnet” and then “open target.host.com” … which won’t show
the target host in the process list as a parameter.
If you hacked a system – don’t put a suid shell somewhere!
Better try to install some backdoors like ping, quota or login and
use fix to correct the time and time of the file if you don’t
have got another possibility.
IV. ADVANCED
———————————————————————-
CONTENTS: 1. Preface
2. Prevent Tracing of any kind
3. Find and manipulate any log files
4. Check the syslog configuration and logfile
5. Check for installed security programs
6. Check the admins
7. How to “correct” checksum checking software
8. User Security Tricks
9. Miscellaneous
* 1. PREFACE *
Once you installed your first sniffer and begin to hack worldwide
then you should know and use these checks & techniques!
Use the tips presented here – otherwise, your activity will be over soon.
* 2. PREVENT TRACING OF ANY KIND *
Sometimes your hacking will be noticed. That’s not a real problem –
some of your sites will be down but who cares, there are enough
out there to overtake. The *very* dangerous thing is when they try
to trace you back to your origin – to deal with you – bust you!
This short chapter will tell you every possibility THEY have to trace
you and what possibilities YOU have to prevent that.
* Normally it should be *a no*furthermore problem for the Admin to identify the
system the hacker is coming from by either: checking the log entries
if the hacker was really lame, take a look also at the sniffer output
the hacker installed and he’s in too, any other audit software like
login log, or even show all established connections with “netstat”
if the hacker is currently online – expect that they’ll find out!
That’s, why you *, need* a gateway server.
* A gateway server in between – what is it?
That’s one of many many servers you have accounts on, which are
absolutely boring systems, and also you have got root access on.
You need the root access to alter the wtmp and lastlog files
plus maybe some audit logs do nothing else on these machines!
You should change the gateway servers on a regular basis, say
every 1-2 weeks, and don’t use them again for at least a month.
With this behavior, it’s unlikely that they will trace you back
to your next point of origin: the hacking server
* Your Hacking Server – the basis of all activity
From these servers, you do begin hacking. Telnet (or better : remsh/rsh)
to a gateway machine and then to the target.
You need again root access to change the logs.
You should change your hacking server every 2-4 weeks.
* Your Bastian/Dialup server.
This is the critical point. Once they can trace you back to your
dial-up machine you are already fried. A call to the police, a line
trace, and your computer hacking activity are history – and maybe
the rest of your future too.
You *don’t* need root access on a bastion host. Since you only
connect to it via modem there are no logs that must be changed.
You should use a different account to log on to the system every day
and try to use those which are seldom used. furthermore
Don’t modify the system in any way!
You should’ve got at least 2 bastion host systems you can dialup
to and switch between them every 1-2 months.
Note: If you have got the possibility to dial-up different systems
every day (f.e. due to blue boxing) then do so. you don’t need
a hacking server then.
* Do blue box/card your call or use an outdial or any other way.
So even when they capture back your bastion host, they can’t
trace you (easily) …
For blue boxing, you must be cautious because Germany and the phone
companies in the USA do have surveillance systems to detect
blue boxers … At&t traces fake cred card users etc.
Using a system in between to transfer your call does on the one side
make tracing more difficult – but also exposes you to the risk of being
caught for using a PBX, etc. It’s up to you.
Note too that in f.e furthermore. Denmark all – ALL – calling data is saved!
Even 10 years after your call they can prove that *you* logged on
to the dial-up system which was used by a hacker …
– Miscellaneous
If you want to run satan, iss, ypx, nfs filehandle guessing, etc.
then use a special server for this. don’t use it to actually
telnet/rlogin etc. to a target system, only use it for scanning.
Connect to it as if it were a gateway server.
Tools are out there which binds to a specific port, and when a
connection is established to this port, it’s automatically opening
a connection to another server some other just act like a shell on the
the system, so you do a “telnet” from this socket daemon too.
With such a program also running you won’t be written in any log except
firewall logs. There are numerous programs out there that do that
stuff for you. furthermore
If possible, the hacking server and/or the gateway machine should
be located in a foreign country!
Because if your break-in (attempt) was detected and your origin host
identified then most admins will tend to give up hunting after you.
Even if the feds try to trace you through different countries it
will delay them by at least 2-10 weeks …
# Conclusion: If you hack other stuff than universities then
do it this way! Here is a small picture to help you 😉
+——-+ ~—————> +————-+ +———–+
|+—–+| >hopefully > |one of at | |one of many|
|| YOU || –> >a trace-safe > –> |least 3 | –> |hacking |
|+—–+| >dial possiblity> |bastion hosts| |server |
+——-+ ~—————> +————-+ +———–+
|
|
v
+—————–+ +——–+ +———–+
|maybe additional | | the | |one hacked |
|server from | … <– … | main | <– |server as |
|internal network | | target | |gateway |
+—————–+ +——–+ +———–+
* 3. FIND AND MANIPULATE ANY LOG FILES *
It’s important that you find all logfiles – even the hidden ones.
To find any kind of log file there are two easy possibilities :
1) Find all open files.
Since all logfiles must write somewhere, get the cute program
LSOF – LiSt Open Files – to see them … check them … and
if necessary correct them.
2) Search for all files changed after your login.
After your login do a “touch /tmp/check” then work on.
Later just do a “find / -newer /tmp/check -print” and check them
if any of those are audit files. see>check>correct.
Note that not all versions of find support the -newer option
You can also do a “find / -ctime 0 -print” or “find / -cmin 0 -print”
to find them.
Check all logfiles you find. Normally they are in /usr/adm, /var/adm or
/var/log.
If things are logged to @loghost then you are in trouble. You need
to hack the loghost machine to modify the logs there too …
To manipulate the logs you can either do things like “grep -v”,
or do a line count with WC, and then cut off the last 10 lines with
“head -LineNumbersMinus10”, or use an editor etc.
If the log/audit files are not textfiles but data records … identify
the software which writes the logfiles. Then get the source code. Then
find the matching header file which defines the structure of the file.
Get zap, clear, cloak, etc. and rewrite it with the header file to use
with this special kind of logfile (and it would be kind to publish your
new program to the hacker society to save others much work)
If accounting is installed then you can use the acct-cleaner from chart,
also in this release – it works and is great!
A small gimmick if you must modify wtmp but can’t compile a source and
no perl etc. is installed (worked on SCO but not on linux) :
Do a uuencode of wtmp. Run vi, scroll down to the end of the file, and
delete the last 4 (!) lines beginning with “M” … then save+exit,
uudecode. Then the last 5 wtmp entries are deleted 😉
If the system uses wtmpx and utmpx as well you are in trouble …
I don’t know any cleaner so far who can handle them.
Program one and make it available for the scene.
* 4. CHECK THE SYSLOG CONFIGURATION AND LOG *
Most programs use the syslog function to log anything they want.
It’s important to check the furthermore configuration where syslog does print
special types.
The config file is /etc/syslog.conf – and I won’t tell you here what
the format is and what each entry means. Read the manpages about it.
Important for you are kern.*, auth.* and authpriv.* types.
Look where they are written too: files can be modified. If forwarded
to other hosts you must hack those too. If messages are sent to a user,
tty and/or console you can do furthermore a small trick and generate false log
messages like “echo 17:04 12-05-85 kernel sendmail[243]: can’t resolve
bla.bla.com > /dev/console” or whichever device you want to flood so
that the message you want to hide simply scrolls over the screen.
These log files are *very* important! Check them.
* 5. CHECK FOR INSTALLED SECURITY PROGRAMS
On most security-conscious sites, there are security checkers run by
cron. The normal directory for the crontabs are /var/spool/cron/crontabs.
Check out all entries, especially the “root” file, and examine the files
they run. For just a fast investigation of the crontabs of root type
“crontab -l root”.
Some of those security tools are most time also installed on the admins’
accounts. Some of them (small utils to check wtmp, and if a sniffer is
installed) are in their ~/bin.
Read below to identify those admins and check their directories.
Internal checking software can be tiger, cops, spi, tripwire, l5,
binaudit, hobgoblin, s3 e.t.c.
You must examine what they report and *if* they would report
something that would be a sign of your break-in.
If yes you can – update the data files of the checker (learn mode)
so that it won’t report that type anymore
– reprogram/modify the software so that they don’t report
it anymore. (I *love* fake CPM programs 😉
– if possible remove the e.g. backdoor you installed
and try to do it in another way.
* 6. CHECK THE ADMINS *
It is important for you to check the sysops for the security counter-
measures they do – so first you need to know which normal accounts are
they use.
You can check the .forward file of root and the alias entry of root.
Take a look into the log and note those people who did a successful
su to root. Grab the group file and examine the wheel and admin group
(and whatever other groups are in this file that is related to
administration). Also grepping the password file for “admin” will receive
the administrators. furthermore
Now you should know who the 1-6 administrators on the machines are.
Change into their directories (use chid.c, changed.c or similar to
become the user if the root is not allowed to read every file) and check
their .history/.sh_history/.bash_history to see
what commands they type
usually. Check their .profile/.login/.bash_profile files to see what
aliases are set and if auto-security checks or logging are done.
Examine their ~/bin directory! Most times compiled security checking
programs are put there! And of course, take a look into each directory
they’ve got besides that (ls -alR ~/).
If you find any security-related stuff, read 5.) for possibilities to
bypass those protections.
* 7. HOW TO “CORRECT” CHECKSUM CHECKING SOFTWARE *
Some admins really fear hackers and install software to detect changes
in their valuable binaries. If one binary is tampered with, the next time
the admin does a binary check, it’s detected.
So how can you a) find out if such binary checkers are installed
and b) how to modify them so you can plant in your trojan horse?
Note that there are many binary checkers out there and it’s really easy
to write one – takes only 15 minutes – and can be done with a small
script. So it’s hard to find such software if it’s installed.
Note that internal security checking software sometimes also supports such
checking. Here are some widely used ones :
SOFTWARE: STANDARD PATH: BINARY FILENAMES
tripwire : /usr/adm/tcheck, /usr/local/adm/tcheck : databases, tripwire
binaudit : /usr/local/adm/audit : auditscan
hobgoblin : ~user/bin : hobgoblin
raudit : ~user/bin : raudit.pl
l5 : compile directory : l5
But as you can see there are too many possibilities! The software or
database could even be on a normally unmounted disk or NFS exported
partition of another host. Or the checksum database is on a write-protected medium. There are too many possibilities. But normally you can
just do the fast check if the above packages are installed and if not
go on exchanging binaries. If you *don’t* find them but it actually *is*
a very well secured site then you should NOT tamper with the binaries!
They sure have got them hidden very well.
But what do you do when you find that software installed and you can
modify them (e.g. not a write-protected medium, or something that can
be bypassed – for example, unmounting the disk and remounting writable)?
You’ve got 2 possibilities :
First you, can just check the parameters of the software and run an
“update” on the modified binary. For example for tripwire that’s
“tripwire -update /bin/target”.
Secondly, you can modify the file list of the binaries being checked –
removing the entry of the replaced one.
Note that you should also check if the database file itself is checked
too for changes! If yes – update/delete the entry as well.
* 8. USER SECURITY TRICKS *
This is a rare thing and is only for sake of completeness.
Some users, named admins and, hackers, usually don’t want their own
accounts to be used by someone else. That’s why they sometimes put
some security features into their startup files.
So check all dotfiles (.profile, .cshrc, .login, .logout etc.)
what commands they execute, what history logging and, which search path
they set. If f.e. $HOME/bin comes before /bin in the search path you
should check the contents of this directory … maybe there’s a program
called “ls” or “w” installed which logs the execution time and after
that executing the real program.
Another check automatically the wtmp and lastlog files for zap usage,
manipulation of .rhosts, .Xauthority files, active sniffers, etc.
Never mess with an account a Unix wizard is using!
* 9. MISCELLANEOUS *
Finally, before some last words about being under suspect or caught,
here are some miscellaneous things that are worth to take notice of.
Old telnet clients do export the USER variable. An administrator who
knows that and modified the telnet can get all user names with that
and so identify the account you are hacking from, once he notices you.
The new clients have been fixed – but a clever admin has got other
possibilities to identify the user: the UID, MAIL, and HOME variables
are still exported and make identifying the account used by the
hacker easily. Before you do telnet, change the USER, UID, MAIL and
HOME variable, maybe even the PWD variable if you are in the home
directory.
On HP-UX < v10 you can make hidden directories. I’m not talking about
. (dot) files or similar but a special flag. HP introduced it v9, but
was removed from version 10 (because it was only used by hackers ;-).
If you do a “chmod +H directory” it’s invisible for the “ls -al”.
To see the hidden directories you need to add the -H switch to ls, e.g.
“ls -alH” to see everything.
Whenever you are in need to change the date of a file, remember that
you can use the “touch” command to set the time and time.
You can set the time only by raw writing to the hard disk…
If you install a sniffer and it’s an important system, then make sure
that you either obfuscate the sniffer output (with an encryption
algorithm [and I’m not talking about rot13] or let the sniffer send
all the captured data via icmp or udp to an external host under your
control. Why that? If the admin finds somehow the sniffer (cpm and
other software checking for sniffers) they can’t identify in the
logfile what data was sniffed, so he can’t warn hosts sniffed by you.
V. UNDER SUSPECT
———————————————————————-
Once you are under suspect (by either police and/or administrator) you
should take special actions so they won’t get evidence on you.
NOTE: If the administrators think you are a hacker,
YOU ARE GUILTY UNTIL PROVEN INNOCENT
The laws mean nothing to the admins (sometimes I think the difference
between a hacker and an administrator is only that the computer belongs
to them). When they think you are a hacker you are guilty, without a
lawyer to speak for you. They’ll monitor you, your emails, files, and,
if they are good enough, your keystrokes as well.
When the feds are involved, your phone line might be monitored too,
and a raid might come soon.
If you notice or fear that you are under suspect then keep an absolutely
low profile! No offensive action which points to hacking should be done.
The best thing is to wait at least 1-2 months and do nothing.
Warn your friends not to send you an email, public normal only,
non-offensive mail is wonderful, put PGP encrypted emails will ring the
alarm bells of monitoring admins and feds. Cut down with everything,
write some texts or program tools for the scene and wait until things
have settled. Remember to encrypt all your sensitive data and remove
all papers with account data, phone numbers, etc. That’s the most
important stuff the feds are looking for when they raid you.
VI. CAUGHT
———————————————————————-
Note that this small chapter covers only the ethics and basics and
hasn’t got any references to current laws – because they are different
for every country.
Now we talk about the stuff you should/shouldn’t do once the feds
visited you. There are two *very* important things you have to do :
1) GET A LAWYER IMMEDIATELY!
The lawyer should phone the judge and appeal against the search
warrant. This doesn’t help much but may hinder them in their work.
The lawyer should tell you everything you need to know about what the
feds are allowed to do and what not.
The lawyer should write a letter to the district attorney and/or
police to request the computers back as fast as possible because
they are urgently needed to do business etc As you can see it is very useful to have got a lawyer already
by hand instead of searching for one after the raid.
2) NEVER TALK TO THE COPS!
The feds can’t promise you anything. If they tell you, you’ll get
away if you talk, don’t trust them! Only the district attorney
has got the power to do this. The cops just want to get all
information possible. So if you tell them anything they’ll have
got more information from and against you.
You should *always* refuse to give evidence – tell them that you
will only talk with them via your lawyer.
Then you should make a plan with your lawyer on how to get you out of this
shit and reduce the damage.
But please keep in mind: don’t betray your friends. Don’t tell them
any secrets. Don’t blow up the scene.
If you do, that’s a boomerang: the guys & scene will be very angry
and do revenge and those guys who’ll be caught because of your
evidence will also talk … and give the cops more information about
*your* crimes!
Note also that once you are caught you get blamed for everything which
happened on that site. If you (or your lawyer) can show them that they
don’t have got evidence against you for all those cases they might
have trouble keeping the picture of that “evil hacker” they’ll try to
paint about you at court. If you can even prove that you couldn’t
do some of the crimes they accuse you of then your chances are even
better. When the judge sees that false accusations are made he’ll suspect
that there could be more false ones and will become distrusted against
the badly prepared charges against you.
I get often asked if the feds/judge can force you to give up your
passwords for PGP, encrypted files, and/or harddisks.
That’s different for every country. Check out if they could force you
to open your locked safe.
If that’s the case you should hide the fact that you are encrypting your
data! Talk with your lawyer if it’s better for you to stand against
the direction to give out the password – maybe they’d get evidence
which could you get into jail for many years.
(For german guys: THC-MAG #4 will have got an article about the German
law, as far as it concerns hacking and phreaking – that article will
be of course checked by a lawyer to be correct. Note that #4 will only
discuss Germany and hence will be in the German language.
But non-germans, keep ya head up, this will be the first and last german
only magazine release 😉
VII. PROGRAMS
———————————————————————-
Here is a small list of programs you should get and use (the best!).
DON’T email me where to get them from – ask around in the scene!
I only present here the best log modifiers (see III-4 and IV-3).
Other programs which are of interest are telnet redirectors (see IV-2)
but there are so many, and most compile only on 1-3 Unix types so there’s
no use to make a list.
First a small glossary of terms :
Change – Changes fields of the logfile to anything you want
Delete – Deletes, cuts out the entries you want
Edit – real Editor for the logfile
Overwrite – just Overwrites the entries with zero-value bytes.
Don’t use such software (f.e. zap) – it can be detected!
LOG MODIFIER
ah-1_0b.tar Changes the entries of accounting information
clear.c Deletes entries in utmp, wtmp, lastlog and wtmpx
cloak2.c Changes the entries in utmp, wtmp and lastlog
invisible.c Overwrites utmp, wtmp and lastlog with predefines values, so
it’s better than zap. Watch out, there are numerous inv*.c !
marryv11.c Edit utmp, wtmp, lastlog and accounting data – best!
wzap.c Deletes entries in wtmp
wtmped.c Deletes entries in wtmp
zap.c Overwrites utmp, wtmp, lastlog – Don’t use! Can be detected!
WE ARE HERE FOR SERIOUS BUSINESS WE DO NOT ENTERTAIN OR RESPOND TO TIME WASTERS. WE HOPE YOU ARE AS SERIOUS AS WE ARE
Contact us for support. We sell fresh tools like CVV & Cards, SSN, Paypal accounts, Dumps with Pin, ATM Skimmers, Email Leads, Smtp, and lots more.
We have other services like Bank transfers to any bank account, we can Cards anytime for you and ship for half the price, Carding iPhone 11 pro, Botnet setup service, and Carding Classes where you will learn everything that will help you make money.
Lists Of Transfers Available for Grabs
You can make a lot of money as your mind can conceive. You don’t necessarily need to 9 am – 5 pm job to have a life. Live Your dreams, buy that house, go on that vacation, buy that dream car, and invest in real estate with these transfers.
Paypal Transfer —————————————Click Here
Cashapp transfer ————————————-Click Here
Western Union Transfer —————————Click Here
Bank transfer ——————————————Click Here
Venmo transfer —————————————Click Here