Solved

???? VIRUS ON SOLARIS ????

Posted on 1998-07-15
9
526 Views
Last Modified: 2013-12-23
Yesterdy was the second time that some directories on my netra were deleted !!
I have a network of PC using pc/tcp, pcnfs and samba to access via NFS to NetraJ.

My problem: on 9th of april, and on 14th July several directories whose name start with F, A, E,  (FrAncE) , were deleted.
Does anybody knows about some virus on Solaris and/or Pc that do such a thing ?

lucix

p.s. I have firewall first installed on my netra !!
0
Comment
Question by:lba
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 5

Expert Comment

by:n0thing
ID: 1583005
There's no really a such thing as a virus on Solaris. In your case, someone must have the permission to delete those files on your Netra. Either your NFS permission was not set properly, someone hacked your machine, or the permission of the files are not set properly. Firewall is as good as the security of the machine it sits on, won't help to protect your NFS exported partition. There's a few bugs and holes in the NFS, rpc calls. A firewall machine must not export any NFS filesystem. On the otherside, if you export your NFS partition on the PC as read/write anyone could delete anything on it, a person, a program, a virus ...

Regards,
Minh Lai
0
 

Author Comment

by:lba
ID: 1583006
Even if the users has any permissions on nfs, I don[t thingk that
they delete some files or directories.
So, if there are no virus, how can I verify if there is an hacker inside my comPANY ? * WE ARE ONLY 30 USERS.




0
 
LVL 5

Expert Comment

by:n0thing
ID: 1583007
If you are sure that no one in your co. makes a mistakes by deleting some files. Then the only other solution is a dumb hacker on your machine, because he is dumb enough to delete some files to reveal your suspiscion. One way to check is using the
command "last" to see who was last log on your machine. However he might have erase all his traces on your machine. If you lack experience in security issues and network, I would suggest you to hire a professional. Your first basic check maybe some basic system file like inetd.conf, /etc/passwd, ...

   And for the reason of rejecting my answer, I thought I my answer was direct enough "There is no such thing as a virus on Solaris" and even gave you the details of what might have happened. Could you tell me which part of my answer doesn't asnwer directly to your question ??

Regards,
Minh Lai
0
 

Author Comment

by:lba
ID: 1583008
The file inetd.conf was not changed since the installation May97.
Passwd was changed due to new users.
command last give you only info about user that make FTP o TELNET.
no users that connect via nfs or samba.

Luciano
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 1

Accepted Solution

by:
ksb earned 150 total points
ID: 1583009
I doubt it was a UNIX Virus.  I am the dude that stopped the last Internet work (the Morris one).  It is likely the case that some host that can use NFS (or SMB) access to the files deleted them by mistake from their desktop.

A sorted list of the directory would have "A"-"F" at the start and an interrupted delete operation might have stopped at F.

This sounds like smoke "no users that connect via nfs or samba", why enable the service if nobody uses it?  How can you be sure? Are you looking at an xtab that is rotated weekly?

I hope you have a good ufsdump of the host...

0
 
LVL 1

Expert Comment

by:ksb
ID: 1583010
This is really directed at n0thing -- because he claimed "There is no such thing as a virus on Solaris"

There are UNIX virus and worm programs.  They are very rare, but the Morris worm and the make virus both exist.  These don't always start at boot time (nor do all PC virus programs).

Not one of these will selectively delete files.  Even the old uux worm took great pains to be invisible to the admin and the user.

Postscript printers can even get attacked...
0
 

Author Comment

by:lba
ID: 1583011
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 

Author Comment

by:lba
ID: 1583012
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 

Expert Comment

by:obkb
ID: 1583013
There's a checklist of things to look for if you suspect a break in over at www.cert.org or one of the various mirror sites for the CERT team.

The most recent rash of attacks have been the named exploits for which vendor patches are not universally available (I think one big blue three letter company was quick to respond with a patch but that's about it).

One telltale trace is that the overflow style of the attack tends to cause the in.named process to core dump so you'll find a core file named /var/named/core, if you do a "strings /var/named/core | grep passwd" you may find a line referencing the /etc/passwd file. Since it's highly unlikely that there would be a machine named /etc/passwd, chances are a hacker was trying to overflow the named with something to edit the passwd file. Other things to look for would be the various shells (/bin/sh, /bin/csh, /bin/ksh etc.) and invocations of xterm (particularly with the -display option).

We've been getting these attacks for quite a few months now. Of course, we've taken the usual chroot preventative measures to make the attacks pointless from the hackers point of view and we correlate log entries from our firewall to each incident but the hackers hack from other sites that they've hacked so except for one case where we caught them doing it from their ISP, all we've managed is to inform other sites that they've been hacked. Problem is that it's easier for the many hackers out there to add to your frustration level than it is for our shutting down their access points to add to their frustration level. On the plus side, the generally high frustration levels of sysadmins translates into high salaries for us, whereas the hackers get pizza and cokes for their midnight efforts, if that's any consolation (I kinda like my memories of pizza and coke by a terminal when I was a teen).

If you ever get your machine to a state that you're happy with, think about running tripwire to build a database of all the system files and their checksums. Also arrange an alternate boot scenario (diskless boot or offline boot disk) or an emergency tool kit cause hackers now deploy root kits which are just a tar of common tools like ls, find, diff, and sum which serve their purposes not yours (pretty hard to use those commands to find hackers if they keep lying to you). The reason why these techniques are so prevalent is that various idiots distribute them on the web, most hackers really don't have the brains to rewrite the tools themselves in a convincing manner but they know how to download them from the web.

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now