[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 530
  • Last Modified:

No directory! - Root permisions where changed to 0 now it is 755 - No evidence in last command of yesterday

Hi experts.
I receive an alert yesterday night from our Oracle monitoring system of one of the two unreacheable nodes, (one has a more upgraded version of the monitoring agent).  In one of the nodes there is no evidence of the logging via last command - solaris Sparc 64 bit.
Can it be possible that one of this two things be possible?

1- Someone can enter and change root permissions in the Solaris node without a trace in the last command.

2- There is some sort of certification expiration or software expiration that will change the root permissions to 0 yesterday february 16 like some kind of "trial software" or some kind of "virus software".
0
LindaC
Asked:
LindaC
  • 2
1 Solution
 
woolmilkporcCommented:
Hi,

1 - yes, that's possible if you have ssh installed. ssh remote command execution never uses login(), so there is no trace in wtmp (the file "last" relies on).
Of course one must be able to gain root authority to perform the actions you mentioned.
If the malicious person is in possession of root's password they could do:

ssh root@node 'chmod 755 ....' (if root login via ssh is permitted)
or
ssh user@node -c #su - -c chmod 755 ...'

2 - possible, of course, but I never heard of such phenomena before.

wmp
0
 
woolmilkporcCommented:
Sorry, the second "ssh" example should read:

ssh user@node -c 'su - -c chmod 755 ...'

ssh would log connections via syslog if configured.
You need an entry "auth.info /path/to/log' ("info" or higher) in /etc/syslog.conf or a catch-all entry "*.info /path/to/log".

wmp
0
 
LindaCAuthor Commented:
Thank you.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now