topic Virus Attack or Have I been Hacked? in Operating System - HP-UX

Virus Attack or Have I been Hacked?

CHRIS_ANORUO — Fri, 17 Nov 2000 14:47:55 GMT

I CANN'T LOG INTO MY SERVER FROM ANY WHERE (INCLUDING CONSOLE), BOTH TELNET AND RLOGIN ARE NOT WORKING!
AND THE SYSTEM DISK ARE SHOWING BUSY BLINKING LIGHT, THE LCD HAS JUST F13F ON DISPLAY.
HOW CAN I GO INTO THE SERVER TO CHECK THE DIRECTORIES. SINCE CONSOLE LOGIN IS NO LONGER WORKING. WHEN I RUN 'HPUX LL' AT ISL>, IN SEE THAT ALL IDS IN /STAND WERE CHANGED TO USER AND GROUP ID NUMBERS. VMUNIX, SYSTEM AND THE *.PREV FILES ARE ALL ZERO. THEY GUYS AT SECURITY-ALERT@HP.COM WERE NOT OF HELP.
HAS ANY BODY SEEN THIS?

Re: Virus Attack or Have I been Hacked?

Victor BERRIDGE — Fri, 17 Nov 2000 15:02:01 GMT

No nothing like, perhaps on a AIx a have I couldnt do a mksysb the reason was a patch (or someone) did a diff of the directoy where the kernel was > the kernel...
I would try to recuperate by ftp if you can important config files like passwd hosts ...
onto pc or non HPUX system, to see if there is an explanation, again if ftp works, try to put a kernel, get rid of the resolver and try to boot as a stand alone machine then have a look inside...
I know its not much of an help for now, just think we are with you, keep in touch and if we have better ideas, we shall submit them...
All the best
Victor

Re: Virus Attack or Have I been Hacked?

MARTINACHE — Fri, 17 Nov 2000 15:13:05 GMT

I had the same probleme after a patch.

rlogin didn't work but remsh YES

Could you try something like this :

remsh BADHOST -n "export DISPLAY=GOODHOST:0.0;xterm"

Regards,

Patrice.

Re: Virus Attack or Have I been Hacked?

Paula J Frazer-Campbell — Fri, 17 Nov 2000 15:18:34 GMT

Chris
Is this situation after a reboot?

It sounds like that the server loading has gone through the roof and processor time is not being given to telnet -etc.

You have to my mind two options :-
1. Leave it and see if it gets better.
2. Hit the big red button (as I would do) bring it to a stand still - disconnect network/comms and reboot.

Good luck

Paula.

Re: Virus Attack or Have I been Hacked?

CHRIS_ANORUO — Fri, 17 Nov 2000 15:25:57 GMT

Thanks, Actually this problem happened on 14/11/2000 and I had the system up and running in 2hrs. I recovered with the IUX recovery tape and updated with the lattest backup. I just wanted to know if anybody have had a similar experience. Lesson is - have a good recovery media and updated backups.

Thanks

Re: Virus Attack or Have I been Hacked?

CHRIS_ANORUO — Fri, 17 Nov 2000 15:29:59 GMT

Thanks, Actually this problem happened on 14/11/2000 and I had the system up and running in 4hrs. I recovered with the IUX recovery tape and updated with the lattest backup. I just wanted to know if anybody have had a similar experience. Lesson is - have a good recovery media and updated backups.

Thanks

Re: Virus Attack or Have I been Hacked?

Patrick Wallek — Fri, 17 Nov 2000 15:33:18 GMT

I am not surprised that you saw ownership of the files in /stand as a UID of 0. That is normal. Since you were at the ISL (?) prompt, /etc had not been mounted yet, hence no resolution of UID/GID to their normal names.

All files ownership and group properties are stored as the numeric UID/GID number. When you do an ll when the system is running normally, the UID/GID numbers get converted automatically to their normal names.

The UID of 0, which you saw in /stand is the UID for the root user. All of /stand should be owned by root.

Re: Virus Attack or Have I been Hacked?

CHRIS_ANORUO — Fri, 17 Nov 2000 15:44:06 GMT

All the /stand file sizes where zeroed.