Security
cancel
Showing results for 
Search instead for 
Did you mean: 

/etc/hosts file missing every wednesday

Srivathsan_2
Advisor

/etc/hosts file missing every wednesday

Hello All,

I have a very peculiar problem on a Tru64 V5.1B system. Every wednesday morning at 02:16 hrs (system time) the /etc/hosts file goes missing.

Have been able to trace the exact timing with the help of a script that checks for the existence of the file every minute and incase it is missing, copies it over from backup file available under /etc as hosts.good.

Have already checked cron and servers that have rlogin possibility to this server and didn't find anything obvious.

Have tried file level auditing but couldn't make it work :(

Any pointers to crack this..please ?

Cheers,
Srivathsan
3 REPLIES
Stiwi Wondrusch
Trusted Contributor

Re: /etc/hosts file missing every wednesday

Hi Srivathsan

Simple and stupid brute force approach:
From the crontab start a script on Wednesday 02:15 that looks like this:

date >> logfile
ls -l /etc/hosts >> logfile
ps -ef >> logfile
ps -ef >> logfile
ps -ef >> logfile
ps -ef >> logfile
ps -ef >> logfile
... 100 times ?? (test it before wednesday)
ls -l /etc/hosts >> logfile
date >> logfile

Afterwards grep for hosts in the logfile.

rgds Stiwi
Ivan Ferreira
Honored Contributor

Re: /etc/hosts file missing every wednesday

Auditing could help but the /etc directory should not allow write permissions to anyother than root. So, the user that deletes the file should be root with the rm or mv command. Ensure that the /etc directory has 755 permissions and root.system owner.

You should check the contents of your scripts in the cron, and not just the plain cron file for all users that can run commands as root.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor

Re: /etc/hosts file missing every wednesday

Auditing accesses to the file would help track this down. You didn't say what problems you had setting up auditing on the file, perhaps the following thread will help:

http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=1006406

Ann