[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

No directory! - Root permisions where changed to 0 now it is 755 - No evidence in last command of yesterday

Posted on 2011-02-17
3
Medium Priority
?
526 Views
Last Modified: 2013-12-27
Hi experts.
I receive an alert yesterday night from our Oracle monitoring system of one of the two unreacheable nodes, (one has a more upgraded version of the monitoring agent).  In one of the nodes there is no evidence of the logging via last command - solaris Sparc 64 bit.
Can it be possible that one of this two things be possible?

1- Someone can enter and change root permissions in the Solaris node without a trace in the last command.

2- There is some sort of certification expiration or software expiration that will change the root permissions to 0 yesterday february 16 like some kind of "trial software" or some kind of "virus software".
0
Comment
Question by:LindaC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 34915474
Hi,

1 - yes, that's possible if you have ssh installed. ssh remote command execution never uses login(), so there is no trace in wtmp (the file "last" relies on).
Of course one must be able to gain root authority to perform the actions you mentioned.
If the malicious person is in possession of root's password they could do:

ssh root@node 'chmod 755 ....' (if root login via ssh is permitted)
or
ssh user@node -c #su - -c chmod 755 ...'

2 - possible, of course, but I never heard of such phenomena before.

wmp
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34915501
Sorry, the second "ssh" example should read:

ssh user@node -c 'su - -c chmod 755 ...'

ssh would log connections via syslog if configured.
You need an entry "auth.info /path/to/log' ("info" or higher) in /etc/syslog.conf or a catch-all entry "*.info /path/to/log".

wmp
0
 
LVL 8

Author Closing Comment

by:LindaC
ID: 34938300
Thank you.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question