???? VIRUS ON SOLARIS ????

Yesterdy was the second time that some directories on my netra were deleted !!
I have a network of PC using pc/tcp, pcnfs and samba to access via NFS to NetraJ.

My problem: on 9th of april, and on 14th July several directories whose name start with F, A, E,  (FrAncE) , were deleted.
Does anybody knows about some virus on Solaris and/or Pc that do such a thing ?

lucix

p.s. I have firewall first installed on my netra !!
lbaAsked:
Who is Participating?
 
ksbConnect With a Mentor Commented:
I doubt it was a UNIX Virus.  I am the dude that stopped the last Internet work (the Morris one).  It is likely the case that some host that can use NFS (or SMB) access to the files deleted them by mistake from their desktop.

A sorted list of the directory would have "A"-"F" at the start and an interrupted delete operation might have stopped at F.

This sounds like smoke "no users that connect via nfs or samba", why enable the service if nobody uses it?  How can you be sure? Are you looking at an xtab that is rotated weekly?

I hope you have a good ufsdump of the host...

0
 
n0thingCommented:
There's no really a such thing as a virus on Solaris. In your case, someone must have the permission to delete those files on your Netra. Either your NFS permission was not set properly, someone hacked your machine, or the permission of the files are not set properly. Firewall is as good as the security of the machine it sits on, won't help to protect your NFS exported partition. There's a few bugs and holes in the NFS, rpc calls. A firewall machine must not export any NFS filesystem. On the otherside, if you export your NFS partition on the PC as read/write anyone could delete anything on it, a person, a program, a virus ...

Regards,
Minh Lai
0
 
lbaAuthor Commented:
Even if the users has any permissions on nfs, I don[t thingk that
they delete some files or directories.
So, if there are no virus, how can I verify if there is an hacker inside my comPANY ? * WE ARE ONLY 30 USERS.




0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
n0thingCommented:
If you are sure that no one in your co. makes a mistakes by deleting some files. Then the only other solution is a dumb hacker on your machine, because he is dumb enough to delete some files to reveal your suspiscion. One way to check is using the
command "last" to see who was last log on your machine. However he might have erase all his traces on your machine. If you lack experience in security issues and network, I would suggest you to hire a professional. Your first basic check maybe some basic system file like inetd.conf, /etc/passwd, ...

   And for the reason of rejecting my answer, I thought I my answer was direct enough "There is no such thing as a virus on Solaris" and even gave you the details of what might have happened. Could you tell me which part of my answer doesn't asnwer directly to your question ??

Regards,
Minh Lai
0
 
lbaAuthor Commented:
The file inetd.conf was not changed since the installation May97.
Passwd was changed due to new users.
command last give you only info about user that make FTP o TELNET.
no users that connect via nfs or samba.

Luciano
0
 
ksbCommented:
This is really directed at n0thing -- because he claimed "There is no such thing as a virus on Solaris"

There are UNIX virus and worm programs.  They are very rare, but the Morris worm and the make virus both exist.  These don't always start at boot time (nor do all PC virus programs).

Not one of these will selectively delete files.  Even the old uux worm took great pains to be invisible to the admin and the user.

Postscript printers can even get attacked...
0
 
lbaAuthor Commented:
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 
lbaAuthor Commented:
Yes I ha ve a good dump (ufsdump), but how can I be sure that those directories will not be deleted again ?

lba
0
 
obkbCommented:
There's a checklist of things to look for if you suspect a break in over at www.cert.org or one of the various mirror sites for the CERT team.

The most recent rash of attacks have been the named exploits for which vendor patches are not universally available (I think one big blue three letter company was quick to respond with a patch but that's about it).

One telltale trace is that the overflow style of the attack tends to cause the in.named process to core dump so you'll find a core file named /var/named/core, if you do a "strings /var/named/core | grep passwd" you may find a line referencing the /etc/passwd file. Since it's highly unlikely that there would be a machine named /etc/passwd, chances are a hacker was trying to overflow the named with something to edit the passwd file. Other things to look for would be the various shells (/bin/sh, /bin/csh, /bin/ksh etc.) and invocations of xterm (particularly with the -display option).

We've been getting these attacks for quite a few months now. Of course, we've taken the usual chroot preventative measures to make the attacks pointless from the hackers point of view and we correlate log entries from our firewall to each incident but the hackers hack from other sites that they've hacked so except for one case where we caught them doing it from their ISP, all we've managed is to inform other sites that they've been hacked. Problem is that it's easier for the many hackers out there to add to your frustration level than it is for our shutting down their access points to add to their frustration level. On the plus side, the generally high frustration levels of sysadmins translates into high salaries for us, whereas the hackers get pizza and cokes for their midnight efforts, if that's any consolation (I kinda like my memories of pizza and coke by a terminal when I was a teen).

If you ever get your machine to a state that you're happy with, think about running tripwire to build a database of all the system files and their checksums. Also arrange an alternate boot scenario (diskless boot or offline boot disk) or an emergency tool kit cause hackers now deploy root kits which are just a tar of common tools like ls, find, diff, and sum which serve their purposes not yours (pretty hard to use those commands to find hackers if they keep lying to you). The reason why these techniques are so prevalent is that various idiots distribute them on the web, most hackers really don't have the brains to rewrite the tools themselves in a convincing manner but they know how to download them from the web.

0
All Courses

From novice to tech pro — start learning today.