Things to do after access
I think in this paper we have covered most of the things
you cando after
access, so I will make this in the style of a checklist from a to
z.
a. learn who the admin's are on the system
b. watch the system with ps -auxe and ps -auxef (if it works) and
pstreeto
try and keep track of what others are doing
c. read all of the bash history files or any history files you
can findon the
machine to learn more yourself, and to learn about
the users
d. make as many backdoor's into the system as you can that you
are surewill
not be found out
e. keep the access to yourself, don't give out users passwords on
the machine
you get root on.
f. always clean your utmp and wtmp right away when you login
g. always clean your mess as you go along, this includes your
xferlog and
messages
h. if you have root access make sure to read /etc/syslog.conf and
/etc/login.defs to see how the system is logging
i. before changing binary files look at the root cron to see what
theyare
running.
j. look for md5 on the system
k. look for separate ftp logs
l. make sure to clean the www logs if you ever send phf commands
to theserver
m. make an suid root shell and place it somewhere on the system
n. do only what you are sure of, don't do everything in this
hacking manualall
at once or you are asking to get caught
o. only use nested directories, do not put files into user
directorieswhere
all they need to do is type ls to see them
p. don't add user accounts and think they will not notice you.
q. don't use pine or other mail programs to read users mail. if
you wantto
read mail go to the mail dir and read it from unix,
new mailyou will find
in /var/spool/mail read it there.
r. don't change the system so that other programs they have
running willnot
work any more, they will be on you like fly's on
shit
s. don't delete files on the system unless you put them there
t. do not modify their web pages, like i was here ... you are not
a hackeryou
are a little kid wanting attention
u. do not change any passwords on the system (unless you are
doing it for
access and have backed up the passwd file and
replace it rightafter you
login
v. do not use any root account machines for irc access, or to
load a boton
w. if your root account changes or you create files that are
owned by the
wrong group, be sure to chown the files
x. do not use .rhosts if there is already one there that is being
used
y. never telnet or ftp to your account from the hacked box
z. don't fuck up their machine! only do what you know how to do.