topic How to see unauthorized intrusion into Hp boxes in Operating System - HP-UX

How to see unauthorized intrusion into Hp boxes

Yusuf Yila — Fri, 08 Jun 2007 07:44:04 GMT

We have 2 Itaniums rx 8640 and 2 Hp rx 7420, my DBA tells me he feels someone shutdown some services on the Oracle e-business suite ERP application this morning. How can we check to find out ?
Thanks

Re: How to see unauthorized intrusion into Hp boxes

Steven E. Protter — Fri, 08 Jun 2007 07:47:04 GMT

Shalom,

logs:

/var/adm/syslog/syslog.log

That and the keyboard histories should start the investigation.

Ask the DBA for screen shots or logs with evidence. An oracle defect or missing OS patches could just as easily have caused this.

SEP

Re: How to see unauthorized intrusion into Hp boxes

Steven E. Protter — Fri, 08 Jun 2007 07:49:33 GMT

Shalom,

Sorry I forgot. For the next intrusion this software might be helpful.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

Also, now that I actually use two brain cells at the same time, I'd say reset the passwords on all the oracle binary owners and be careful handing them out.

Since its an oracle shutdown the oracle logs are the best place to look.

SEP

Re: How to see unauthorized intrusion into Hp boxes

Yusuf Yila — Fri, 08 Jun 2007 08:08:01 GMT

syslog does not contain any meaninful information. Th elast login by root is not even logged there. Is it possible that it is not turned on ?

Re: How to see unauthorized intrusion into Hp boxes

Oviwan — Fri, 08 Jun 2007 08:15:21 GMT

Hey

check with "last" whether there is a machine of a user who shouldn't be able to login, someone perhaps know the root, oracle etc.. password.

Regards

Re: How to see unauthorized intrusion into Hp boxes

Andrew Young_2 — Fri, 08 Jun 2007 08:19:20 GMT

Hi Yusuf

There are two possibilities. The first most unlikely is that they did this remotely. Looking at the tnslistner log will be a good start. But I agree with Steve that it would in most likely be something in a log file as Oracle are pretty verbose when it comes to logging these sort of things.

The other less likely option is that they logged on to the local servers to do this, but since it is 4 different servers unless your passwords are the same on all servers (no comment) this is unlikely. but you can use the last command to verify this. Also the sulog.

Regards

Andrew Y

Re: How to see unauthorized intrusion into Hp boxes

spex — Fri, 08 Jun 2007 08:21:34 GMT

Hello,

The following pathnames are based on Oracle 9i, so YMMV:

# who -u
to see who is currently logged in

# last -R -100
to see the last 100 valid logins

# lastb -R -100
to see the last 100 failed login attempts

# more /home/oracle/.sh_history
to view the command history for the oracle user (obviously, substitute the appropriate username for your system)

$ more ${ORACLE_BASE}/admin//bdump/alert_.log
to view the alertlog for

$ more ${ORACLE_HOME}/network/log/listener.log
to view connection history of Oracle listener

# find / -type f -mtime -1 -print
for a list of recently modified files on your system

PCS

Re: How to see unauthorized intrusion into Hp boxes

Yusuf Yila — Fri, 08 Jun 2007 09:30:08 GMT

Thanks, i would try and get back to you.

Re: How to see unauthorized intrusion into Hp boxes

Court Campbell — Fri, 08 Jun 2007 09:38:19 GMT

What services does the dba feel where shutdown? What happened that lead him to infer this?