HPE Community
Operating System - HP-UX
1756014 Members
3631 Online
108839 Solutions
New Discussion юеВ

Re: /etc/resolv.conf file always be changed automatically

 
Horia Chirculescu
Honored Contributor

тАО11-15-2010 02:14 AM

тАО11-15-2010 02:14 AM

Re: /etc/resolv.conf file always be changed automatically

How about bootp? Is it running?

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
Matthew Darcy_2
Frequent Advisor

тАО11-15-2010 04:38 AM

тАО11-15-2010 04:38 AM

Re: /etc/resolv.conf file always be changed automatically

what about some sort of IDS like tripwire,

are you changing the file, tripwire (or something) is being run as a scan at 5:00 detecting the change as a monitored file and changing it back.

I've been caught with that before in the past on high security machines, I was only alerted to it when the security team kept getting triggers of file changes.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 05:52 PM

тАО11-15-2010 05:52 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Horia,
bootp is not running on the server.

DiaoXin
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 05:56 PM

тАО11-15-2010 05:56 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Darcy,
I can not find IDS under /opt , and find nothing related to ids when I run "swlist ".
For tripwire, how can I know whether tripwire or the other tool installed ?

Thank you!
DiaoXin
0 Kudos
Reply
TTr
Honored Contributor

тАО11-16-2010 06:55 AM

тАО11-16-2010 06:55 AM

Re: /etc/resolv.conf file always be changed automatically

Did you check that this is not happening from another server as I pointed out above? You checked every other suggestion except mine.

Check the root's home directory and see if there is a .rhosts file that would allow remsh or rcp to run from another server and copy over the resolv.conf file.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-16-2010 05:45 PM

тАО11-16-2010 05:45 PM

Re: /etc/resolv.conf file always be changed automatically

Hi TTr,
Sorry for that and thank you for your idea.

I checked the server and there is no .rhosts file existing .

DiaoXin
0 Kudos
Reply
TTr
Honored Contributor

тАО11-16-2010 05:51 PM

тАО11-16-2010 05:51 PM

Re: /etc/resolv.conf file always be changed automatically

Check if there are any ftp or ssh connections at 5 am in the syslog (or ftp log if it logs in its own logs)
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-16-2010 06:14 PM

тАО11-16-2010 06:14 PM

Re: /etc/resolv.conf file always be changed automatically

Hi TTr,

I really find there is one user account ssh to the server at 4:00am everyday , and I will try to discuss with the user to deny his ssh connection for test.

Thank you!
DiaoXin
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-16-2010 06:46 PM

тАО11-16-2010 06:46 PM

Re: /etc/resolv.conf file always be changed automatically

Hi TTr,
I discussed with the user about his ssh connection. It is a cronjob for him to collect some information from the server and he only use the normal user permission to do this .
So I think it is not the root cause.

DiaoXin
0 Kudos
Reply
Alzhy
Honored Contributor

тАО11-17-2010 06:02 AM

тАО11-17-2010 06:02 AM

Re: /etc/resolv.conf file always be changed automatically

I would bet there is a CFENGINE scheme running. It could be HP's version (forgot the name) or cfengine itself.

Check /var/cfengine.
Hakuna Matata.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.