LISTSERV - HP3000-L Archives

HP3000-L Archives

July 2002, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L July 2002, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Weird Question on Sanitizing Logs?
From:	Tom Emerson <[log in to unmask]>
Reply To:	Tom Emerson <[log in to unmask]>
Date:	Wed, 24 Jul 2002 19:19:52 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

> -----Original Message-----
> From: Art Bahrs
>
>    Question #1:
>    Other than access, modify and creation dates changing... is it
> possible to "sanitize" logfiles on a 3k to remove a record of your
> logging on?

Depending on your goal as a "hacker", the simplest method would be to PURGE
the logfiles entirely -- nothing could be more "sanitized" as the HP doesn't
have the ability to "unpurge" a file [well, I suppose at a
high-dollar-rate-per-hour you could find someone skillful enough to do so,
but this presupposes that you, as an "admin", have shut down the system
shortly after the perp has purged the logs so that no other disc writes have
clobbered the now-free disc sectors...]

Admittedly, purging the logfiles in total does raise an alarm that
"something" happened, but in most cases this will go undetected for hours
[even days] so the above "recreate" scenario is unlikely at best...

The next step would be to re-write the logfile(s) in total having filtered
out the appropriate records.  If a hacker is skillful enough to understand
the logfile format well enough to recreate such a file, there is a good
possibility that they could call the appropriate system intrinsics that
would write the files without "touching" the dates  [of course, you COULD
also log FOPEN/FCLOSES, which would be harder to "cover up"]

Another possibility as a "hacker" would be to re-write those portions of the
logon records that indicate "you" were the one one with information that
"someone else" did the logon.  While the records are variable in length, the
fields within a given record type are fixed and can easily be overwritten.
(note that you generally don't need to re-write the logoff records because
they don't contain information on WHO the person was -- they simply contain
the session number which corresponds to the logon record...)  in-place
re-writes such as this might be accomplished with a disk editor, which would
also avoid "touching" the file access/modify dates

>    Question #2:
>    Is it possible to FTP, Telnet or otherwise interact with the POSIX
> side of a 3k while leaving no console log traces?

Do you mean CONSOLE messages only, or entries in LOG#####.PUB.SYS?  I'll
presume the latter since processes like http do not create "console"
messages whenever someone requests a web page...

There are a lot of things that can be logged; logging FOPEN/FCLOSE will show
all access to the system, including access to "posix" files [like the shell,
for instance...]  so I don't think you can universally say "no log traces",
but you can if you know what a particular site "logs".  Also, http, SMB, or
any other "daemon" process that you have set up as a "server" won't
neccessarilly create a SYSTEM log entry because they don't actively create a
"session" (they may create an APPLICATION log entry, which is just one more
area a "hacker" needs to cover...)

Finally, of course, as an "admin" you could log the console to hardcopy --
makes it rather difficult for an electronic-intruder to destroy or alter
those...

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU