Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

???? VIRUS ON SOLARIS ????

Posted on 1998-07-15
9
Medium Priority
?
537 Views
Last Modified: 2013-12-23
Yesterdy was the second time that some directories on my netra were deleted !!
I have a network of PC using pc/tcp, pcnfs and samba to access via NFS to NetraJ.

My problem: on 9th of april, and on 14th July several directories whose name start with F, A, E,  (FrAncE) , were deleted.
Does anybody knows about some virus on Solaris and/or Pc that do such a thing ?

lucix

p.s. I have firewall first installed on my netra !!
0
Comment
Question by:lba
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 5

Expert Comment

by:n0thing
ID: 1583005
There's no really a such thing as a virus on Solaris. In your case, someone must have the permission to delete those files on your Netra. Either your NFS permission was not set properly, someone hacked your machine, or the permission of the files are not set properly. Firewall is as good as the security of the machine it sits on, won't help to protect your NFS exported partition. There's a few bugs and holes in the NFS, rpc calls. A firewall machine must not export any NFS filesystem. On the otherside, if you export your NFS partition on the PC as read/write anyone could delete anything on it, a person, a program, a virus ...

Regards,
Minh Lai
0
 

Author Comment

by:lba
ID: 1583006
Even if the users has any permissions on nfs, I don[t thingk that
they delete some files or directories.
So, if there are no virus, how can I verify if there is an hacker inside my comPANY ? * WE ARE ONLY 30 USERS.




0
 
LVL 5

Expert Comment

by:n0thing
ID: 1583007
If you are sure that no one in your co. makes a mistakes by deleting some files. Then the only other solution is a dumb hacker on your machine, because he is dumb enough to delete some files to reveal your suspiscion. One way to check is using the
command "last" to see who was last log on your machine. However he might have erase all his traces on your machine. If you lack experience in security issues and network, I would suggest you to hire a professional. Your first basic check maybe some basic system file like inetd.conf, /etc/passwd, ...

   And for the reason of rejecting my answer, I thought I my answer was direct enough "There is no such thing as a virus on Solaris" and even gave you the details of what might have happened. Could you tell me which part of my answer doesn't asnwer directly to your question ??

Regards,
Minh Lai
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:lba
ID: 1583008
The file inetd.conf was not changed since the installation May97.
Passwd was changed due to new users.
command last give you only info about user that make FTP o TELNET.
no users that connect via nfs or samba.

Luciano
0
 
LVL 1

Accepted Solution

by:
ksb earned 300 total points
ID: 1583009
I doubt it was a UNIX Virus.  I am the dude that stopped the last Internet work (the Morris one).  It is likely the case that some host that can use NFS (or SMB) access to the files deleted them by mistake from their desktop.

A sorted list of the directory would have "A"-"F" at the start and an interrupted delete operation might have stopped at F.

This sounds like smoke "no users that connect via nfs or samba", why enable the service if nobody uses it?  How can you be sure? Are you looking at an xtab that is rotated weekly?

I hope you have a good ufsdump of the host...

0
 
LVL 1

Expert Comment

by:ksb
ID: 1583010
This is really directed at n0thing -- because he claimed "There is no such thing as a virus on Solaris"

There are UNIX virus and worm programs.  They are very rare, but the Morris worm and the make virus both exist.  These don't always start at boot time (nor do all PC virus programs).

Not one of these will selectively delete files.  Even the old uux worm took great pains to be invisible to the admin and the user.

Postscript printers can even get attacked...
0
 

Author Comment

by:lba
ID: 1583011
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 

Author Comment

by:lba
ID: 1583012
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 

Expert Comment

by:obkb
ID: 1583013
There's a checklist of things to look for if you suspect a break in over at www.cert.org or one of the various mirror sites for the CERT team.

The most recent rash of attacks have been the named exploits for which vendor patches are not universally available (I think one big blue three letter company was quick to respond with a patch but that's about it).

One telltale trace is that the overflow style of the attack tends to cause the in.named process to core dump so you'll find a core file named /var/named/core, if you do a "strings /var/named/core | grep passwd" you may find a line referencing the /etc/passwd file. Since it's highly unlikely that there would be a machine named /etc/passwd, chances are a hacker was trying to overflow the named with something to edit the passwd file. Other things to look for would be the various shells (/bin/sh, /bin/csh, /bin/ksh etc.) and invocations of xterm (particularly with the -display option).

We've been getting these attacks for quite a few months now. Of course, we've taken the usual chroot preventative measures to make the attacks pointless from the hackers point of view and we correlate log entries from our firewall to each incident but the hackers hack from other sites that they've hacked so except for one case where we caught them doing it from their ISP, all we've managed is to inform other sites that they've been hacked. Problem is that it's easier for the many hackers out there to add to your frustration level than it is for our shutting down their access points to add to their frustration level. On the plus side, the generally high frustration levels of sysadmins translates into high salaries for us, whereas the hackers get pizza and cokes for their midnight efforts, if that's any consolation (I kinda like my memories of pizza and coke by a terminal when I was a teen).

If you ever get your machine to a state that you're happy with, think about running tripwire to build a database of all the system files and their checksums. Also arrange an alternate boot scenario (diskless boot or offline boot disk) or an emergency tool kit cause hackers now deploy root kits which are just a tar of common tools like ls, find, diff, and sum which serve their purposes not yours (pretty hard to use those commands to find hackers if they keep lying to you). The reason why these techniques are so prevalent is that various idiots distribute them on the web, most hackers really don't have the brains to rewrite the tools themselves in a convincing manner but they know how to download them from the web.

0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question