_________ SWAT MAGAZINE ISSUE THIRTY THREE SEPTEMBER __________ / \___________________________________________/ \ / Covering your tracks \ / -=The Firestarter=- \ ----------------------------------------------------------------------- Well i hope that my methods outlined in this article work, the main reason for it, is that if they don't then the police will have kicked my door in and arrested me by the time this issue comes out :op Ok lets assume that you just cracked into an NT box, first things first. Take what you need but don't take too long over it, usually for me i just swipe the sam._ file after "Rdisk /s" if i can't get l0pht crack to d/l the passwords and usernames for me. Then wipe my tracks before going on the run about on the system, then i'll wipe the logs one last time before i disconnect. Why? well usually when i get into a system i erase the way i got in, then once i've done what i want, i erase the logs of what i have done. Does that make sense? oh it does. cool. Right, depending on how you got in will depend on what log files there are left behind, usually i wipe out the IIS logs (winnt\system32\logfiles) using deltree (which would have previously uploaded), another safe bet is to change the system date. Ok ok i can see that i'm not making much sense of this, so i'll do it step by step from breaking into the system to leaving the system. (1) Break into the system - no i'm not going to tell you how to do it, you can learn about that yourself. (2) Upload some files to the system to erase your presence. Ok some of the best files i have found that do this job are deltree.exe that ships with Win9x and ClearEventLog which can be downloaded from packetstorm. ClearEventLog is a nice little program, which when executed with the command line: "ClearEL all" with Administrator priviledges, will erease ALL of the event logs in seconds. VERY handy, deltree can take out logs from the FTP, HTTP, etc daemons. I usually run this after changing the system date, this will erase the most up-to-date logs in the logfiles directory as well, then once compleated, if you wish, change it back, or you can always leave it changed as to cover your tracks even more, altering the system time is another goody for this. Ok logs taken out? well mostly, but who knows what else is running on there! Well, what i tend to do, is lob NetBus onto the system, yeah i know, lame, but when its time that you don't have, why waste it contemplating on whether you want to risk being called a script kiddie and lame for using it, i mean lets face it, are there any faster ways of browsing directory structures? you tell me. Ok so lob on patch.exe and execute it, now run the file manager and get a nice list of all of the files on the system, disconnect netbus and go over the temp1.dsk file in note pad. Search for any file with: *.log or *log.txt or just *log* Locate and annihilate these files, or just alter them a little to keep you safe. Once done, feel free to use Netbus to browse the system and download files, then delete it from the system, well you don't want anyone else to exploit that lame little trojan do you. Ok that done, you've wiped out most of the logs, well the eventlogs are the main ones and depending on how you got in (i.e buffer overflows to IIS 4.0 or whatever) then the IIS log files *might* show your IP etc, so clear them as well. All done? now lets be happy bunnies and go about the system how you please. There we go, sorry if this article seems incompleate - it probably is, i lost the rest of the article i did. Anyhow catch u all l8r.