Clear the Logs & History on Linux Systems to Delete All Traces You Were There [Tutorial]

April 16, 2021 by 26 Comments

Get Our Premium Ethical Hacking Bundle (90% Off):

How to Wipe All Proof You Were in a Linux System
Full Tutorial:
Subscribe to Null Byte:
Nick’s Twitter:

Cyber Weapons Lab, Episode 216

When somebody’s computer is compromised, the hacker gains almost full control over that computer, allowing them to set up payloads such as reverse persistent shells or keystroke duplicators. However, when the hacker is setting up their payloads, they can leave behind traces that they were there. This evidence takes form in the Bash command history or the files they leave behind that were needed to set up the payload.

If the hacker was smart, they would delete the command history and any files that are not necessarily to make the payload work. Doing so will decrease the chance that the
hacker will get caught and will increase the chance that the payload is effective.

In this episode of Cyber Weapons Lab, we’ll be going over drd_’s article on Null Byte to see how a hacker would go about wiping their tracks. Knowing this will help you drill down to information the hacker may have missed during advanced digital forensics.

To learn more, check out drd_’s full article on Null Byte:

Follow Null Byte on:


26 Replies to “Clear the Logs & History on Linux Systems to Delete All Traces You Were There [Tutorial]”

  1. Bro plz contact me

  2. Deniz Koc says:

    the most crucial step of pentest is also covering tracks glad you made a video about it

  3. You guys are Great. I was wondering this morning how to clear the history,but I forgot about it. And now here it is. Thank you

  4. PK YT says:

    Bro how to hack target fb account plz bro

  5. SamuelX says:

    Good stuff but if i will have my hids system there i will know what was changed and will be alerted.

  6. Random says:

    so the whole video is about "sudo rm -r /var/log/*" ???

  7. i have cueshn for yuo can yuo hak pobg mobile?😢😢

  8. Bro, bro bro. Bro bro bro. Bro. Bro.

  9. the hardest part is finding a vulnerability allowing access into a machine

  10. taoriq says:

    Do you guys offer classes for beginners I am interested in cyber security and but I do not know any reputable sources that can be of help if you guys can help I would really appreciate it
    Thank you

  11. video is good yess yess
    but can this be elaborated for beginners that are kinda new know maybe not as much as you but a little about penetesting that they can get around the system without a problem?

  12. Suddenly all logs are lost from my server. Not suspicious at all..

  13. pi-duino says:

    GET RID OF OF THAT SH*TTY MUSIC!!!!!!!!!!!!!!!! SOUNDS LIKE SOMEONE IS DYING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  14. Nehan A says:

    Can you please make a Discord server

  15. type a space before the command to stop it being recorded in history

  16. Θάνος says:

    Why is this even uploaded? It feels like this is a draft edit that is going to be edited in order to be uploaded. The sound is awful at some points and I feel like the presenter does not even know the basic Linux commands and permissions.
    For 2 minutes he is trying to delete the auth.log without explaining what he is doing wrong or what he finally did to delete it. Linux is kind enough to show to you that the user you are logged in (sandbox) is not a member of the sudo group, so he cannot execute commands as sudo, but you keep ignoring it.
    I mean its OK to not know what you are doing, but if you are going to make a video about it, I think you should be more careful.

  17. Nuke Shooter says:

    You guys aren't considering a SIEM proxy

  18. Yeah so you compromise the machine ~~ and then ~~ YOU DELETE THE HISTORY AND EVERYONE KNOWS YOU WERE THERE BECAUSE THE MISSING HISTORY IS PROOF OF IT… but yeah, if you only care about not getting caught that MIGHT work.

  19. Chanelle says:

    Does this work on chromebook?

  20. Finneshim says:

    Removing or zeroing out logs can be just as suspicious as leaving them in the firsr place and can trigger incident response measures. Alternatively, you can copy log files and directories on entry, perform minimal alterations to remove the copy commands, and then replace the log files with the copies when you're done. This can also all be easily scripted for entry and exit commands