Solved

???? VIRUS ON SOLARIS ????

Posted on 1998-07-15
9
523 Views
Last Modified: 2013-12-23
Yesterdy was the second time that some directories on my netra were deleted !!
I have a network of PC using pc/tcp, pcnfs and samba to access via NFS to NetraJ.

My problem: on 9th of april, and on 14th July several directories whose name start with F, A, E,  (FrAncE) , were deleted.
Does anybody knows about some virus on Solaris and/or Pc that do such a thing ?

lucix

p.s. I have firewall first installed on my netra !!
0
Comment
Question by:lba
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 5

Expert Comment

by:n0thing
ID: 1583005
There's no really a such thing as a virus on Solaris. In your case, someone must have the permission to delete those files on your Netra. Either your NFS permission was not set properly, someone hacked your machine, or the permission of the files are not set properly. Firewall is as good as the security of the machine it sits on, won't help to protect your NFS exported partition. There's a few bugs and holes in the NFS, rpc calls. A firewall machine must not export any NFS filesystem. On the otherside, if you export your NFS partition on the PC as read/write anyone could delete anything on it, a person, a program, a virus ...

Regards,
Minh Lai
0
 

Author Comment

by:lba
ID: 1583006
Even if the users has any permissions on nfs, I don[t thingk that
they delete some files or directories.
So, if there are no virus, how can I verify if there is an hacker inside my comPANY ? * WE ARE ONLY 30 USERS.




0
 
LVL 5

Expert Comment

by:n0thing
ID: 1583007
If you are sure that no one in your co. makes a mistakes by deleting some files. Then the only other solution is a dumb hacker on your machine, because he is dumb enough to delete some files to reveal your suspiscion. One way to check is using the
command "last" to see who was last log on your machine. However he might have erase all his traces on your machine. If you lack experience in security issues and network, I would suggest you to hire a professional. Your first basic check maybe some basic system file like inetd.conf, /etc/passwd, ...

   And for the reason of rejecting my answer, I thought I my answer was direct enough "There is no such thing as a virus on Solaris" and even gave you the details of what might have happened. Could you tell me which part of my answer doesn't asnwer directly to your question ??

Regards,
Minh Lai
0
 

Author Comment

by:lba
ID: 1583008
The file inetd.conf was not changed since the installation May97.
Passwd was changed due to new users.
command last give you only info about user that make FTP o TELNET.
no users that connect via nfs or samba.

Luciano
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Accepted Solution

by:
ksb earned 150 total points
ID: 1583009
I doubt it was a UNIX Virus.  I am the dude that stopped the last Internet work (the Morris one).  It is likely the case that some host that can use NFS (or SMB) access to the files deleted them by mistake from their desktop.

A sorted list of the directory would have "A"-"F" at the start and an interrupted delete operation might have stopped at F.

This sounds like smoke "no users that connect via nfs or samba", why enable the service if nobody uses it?  How can you be sure? Are you looking at an xtab that is rotated weekly?

I hope you have a good ufsdump of the host...

0
 
LVL 1

Expert Comment

by:ksb
ID: 1583010
This is really directed at n0thing -- because he claimed "There is no such thing as a virus on Solaris"

There are UNIX virus and worm programs.  They are very rare, but the Morris worm and the make virus both exist.  These don't always start at boot time (nor do all PC virus programs).

Not one of these will selectively delete files.  Even the old uux worm took great pains to be invisible to the admin and the user.

Postscript printers can even get attacked...
0
 

Author Comment

by:lba
ID: 1583011
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 

Author Comment

by:lba
ID: 1583012
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 

Expert Comment

by:obkb
ID: 1583013
There's a checklist of things to look for if you suspect a break in over at www.cert.org or one of the various mirror sites for the CERT team.

The most recent rash of attacks have been the named exploits for which vendor patches are not universally available (I think one big blue three letter company was quick to respond with a patch but that's about it).

One telltale trace is that the overflow style of the attack tends to cause the in.named process to core dump so you'll find a core file named /var/named/core, if you do a "strings /var/named/core | grep passwd" you may find a line referencing the /etc/passwd file. Since it's highly unlikely that there would be a machine named /etc/passwd, chances are a hacker was trying to overflow the named with something to edit the passwd file. Other things to look for would be the various shells (/bin/sh, /bin/csh, /bin/ksh etc.) and invocations of xterm (particularly with the -display option).

We've been getting these attacks for quite a few months now. Of course, we've taken the usual chroot preventative measures to make the attacks pointless from the hackers point of view and we correlate log entries from our firewall to each incident but the hackers hack from other sites that they've hacked so except for one case where we caught them doing it from their ISP, all we've managed is to inform other sites that they've been hacked. Problem is that it's easier for the many hackers out there to add to your frustration level than it is for our shutting down their access points to add to their frustration level. On the plus side, the generally high frustration levels of sysadmins translates into high salaries for us, whereas the hackers get pizza and cokes for their midnight efforts, if that's any consolation (I kinda like my memories of pizza and coke by a terminal when I was a teen).

If you ever get your machine to a state that you're happy with, think about running tripwire to build a database of all the system files and their checksums. Also arrange an alternate boot scenario (diskless boot or offline boot disk) or an emergency tool kit cause hackers now deploy root kits which are just a tar of common tools like ls, find, diff, and sum which serve their purposes not yours (pretty hard to use those commands to find hackers if they keep lying to you). The reason why these techniques are so prevalent is that various idiots distribute them on the web, most hackers really don't have the brains to rewrite the tools themselves in a convincing manner but they know how to download them from the web.

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now