Inside, I found out that this is a workstation, full of personal files to the user. Not of much use to me, although I saved some accounts/passwords for usable websites (thanks to saved passwords in ~/.mozilla/). I don't want to ruin this guys life in any way, so Facebook accounts etc doesn't interest me.
Now, as root, I want to make sure this box will be available to me in the future, for various purposes. Unfortunately it was obvious to me that this guy shuts down the computer at night, and he has a public dynamic IP.
- First off, I anonymously registered an account at no-ip.org, and installed a daemon which updates the DNS-records whenever the IP changes. This enables me to at least reach his box, as long as he's not suddenly behind a firewall.
- I setup a new account with a generic name (such as "ptd") and sudo privileges, and placed the home directory under /var/spool/<username> to ensure it's at least a bit more hidden.
- I deleted all logs which witnessed on my activities, and replaced them with symlinks to /dev/null, to make sure that nothing was saved in the logs when/if he discovers I'm connected.
- I renamed and moved the "/usr/bin/who"-application to "/usr/sbin/wat", so I can see him when he's logged in, while not letting him see me. My hostname shows up with that script. Is there any other way to disable that without replacing the program with a fake one compiled from scratch? Is my hostname visible anywhere else? /var/log/lastlog points to /dev/null, as well as /var/log/auth.log.
- I installed an FTPd which can enable me to access files, or store files on his box.
- A polipo proxy was added, to get me another way of accessing the internet "anonymously". I'm thinking about installing OpenVPN instead...
- I also installed a keylogger which logs all physical keystrokes into a stealth file, available for me by SSH or FTP.
So, what have I missed? Any tips would be great, since I'm not very experienced in being stealth online. Of course I did all this from a WiFi-network which isn't mine, and I spoofed my MAC-address beforehand.