HPE Community
Operating System - HP-UX
1821537 Members
2284 Online
109633 Solutions
New Discussion юеВ

/etc/resolv.conf file always be changed automatically

 
diaoxin
Frequent Advisor

тАО11-09-2010 08:57 PM

тАО11-09-2010 08:57 PM

/etc/resolv.conf file always be changed automatically

Hi experts,
The file /etc/resolv.conf in HPUX11.23 is always be changed automatically at 5:00am everyday . I fail to find which process or script does it .Who can give me any ideas about it ?or do you have any tools ?
Thank you!
BR
Diao
0 Kudos
Reply
76 REPLIES 76
vishnu.khandare
Respected Contributor

тАО11-09-2010 09:10 PM

тАО11-09-2010 09:10 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Diao,

Please check the crontab file is the any entry related to /etc/resolve.conf which updates or change that file, at particular file.
Please check the /var/adm/syslog/syslog.log for the particular time to find the reason behind this.

Hope this solves ur issue
Dont forget to assign points

Regards
Vishnu Khandare
You should deserve before U desire!!!!
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-09-2010 09:24 PM

тАО11-09-2010 09:24 PM

Re: /etc/resolv.conf file always be changed automatically

Dear Vishnu Khandare,
I checked crontab but find nothing related to the file , and I run the command "find . -type f |xargs grep -l '150.236.34.24' " ,which try to find the files containing "150.236.34.24" ( 150.236.34.24 is the old setting that always overwrite the new setting ) . but find there is no one file in system that contains the old setting .
So I guess maybe there is some scripts will overwrite the file remotely, but I don't know how to get it .

Thank you!
DiaoXin
0 Kudos
Reply
vishnu.khandare
Respected Contributor

тАО11-10-2010 01:04 AM

тАО11-10-2010 01:04 AM

Re: /etc/resolv.conf file always be changed automatically

Hi Diao,

Try to search the in syslog.
Search what are the scripts which are running on perticular 5:00AM.
Search is there any softlink by which this file is uesd at some other place.

Hope this solves ur issue.

Regards
Vishnu Khandare
You should deserve before U desire!!!!
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-10-2010 01:25 AM

тАО11-10-2010 01:25 AM

Re: /etc/resolv.conf file always be changed automatically

Dear Vishnu Khandare,
I checked the syslog , but found nothing related to resolv.conf file .

Thanks.
BR
DiaoXin
0 Kudos
Reply
Viktor Balogh
Honored Contributor

тАО11-11-2010 10:51 AM

тАО11-11-2010 10:51 AM

Re: /etc/resolv.conf file always be changed automatically

Hi,

This is a simple and ugly way to list all the crontabs on HP-UX, check which processes are running around 5am:

# cat /var/spool/cron/crontab.root /var/spool/cron/crontabs/* | grep -v -e ^# -e ^$ | sort -n

This is how to display only the commands without the time:

# for i in `cat /var/spool/cron/crontab.root /var/spool/cron/crontabs/* | awk '!/^#/ {print $6}'

Try the following oneliner, this searches between the crontabs:

# for i in `cat /var/spool/cron/crontab.root /var/spool/cron/crontabs/* | awk '!/^#/ {print $6}' | sort -u`;
do
grep resolv $i
done
#

Regards,
Viktor


****
Unix operates with beer.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-11-2010 11:10 PM

тАО11-11-2010 11:10 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Viktor,
I tried the first and second commands you mentioned but show nothing .And I tried the third command it showed as below:

server:/tmp# ./dd1
cd /; egrep . etc/hosts etc/hostname* etc/resolv.conf 2>/dev/null ) \
echo "$0: Error: unable to resolve own hostname (\"$hostname\") to a fully qualified address. Please supply option --host." >&2
# resolved, withdrawn, and expired incidents


Can you give me any ideas ?
Thank you!
BR
DiaoXin
0 Kudos
Reply
Viktor Balogh
Honored Contributor

тАО11-12-2010 03:40 AM

тАО11-12-2010 03:40 AM

Re: /etc/resolv.conf file always be changed automatically

Hi,

Are there any crontabs on the system at all? Post the outputs of the following:

# ll /var/spool/cron/crontab.root
# ll /var/spool/cron/crontabs/*

Regards,
Viktor
****
Unix operates with beer.
0 Kudos
Reply
TTr
Honored Contributor

тАО11-12-2010 04:03 AM

тАО11-12-2010 04:03 AM

Re: /etc/resolv.conf file always be changed automatically

This could be happening from another server using ftp, remsh, rcp or scp. Not everything would be in the syslog. Check your other servers for something running at 5:00 am.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-14-2010 09:00 PM

тАО11-14-2010 09:00 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Viktor,
There is no output of the 2 commands you mentioned above.

Thank you!
DiaoXin
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-15-2010 12:12 AM

тАО11-15-2010 12:12 AM

Re: /etc/resolv.conf file always be changed automatically

>changed automatically at 5:00am everyday

What is actually changing in resolv.conf everyday (post here the lines)?

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 12:16 AM

тАО11-15-2010 12:16 AM

Re: /etc/resolv.conf file always be changed automatically

Hi Horia,
There are 3 lines concerning of " namesever" setting,because we have 3 DNS servers. assume that the 3 lines are as below :
nameserver 1.1.1.1
nameserver 2.2.2.2
nameserver 3.3.3.3
But at 5:00am everyday , the 3 IPs in the 3 lines will be changed to another settings which are not the correct IP of our DNS.

Thank you!
DiaoXin
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-15-2010 12:21 AM

тАО11-15-2010 12:21 AM

Re: /etc/resolv.conf file always be changed automatically

Do you use DHCP? Check for dhcp client running on your HPUX box.

This is a server or a workstation?

Best regards,
Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО11-15-2010 12:26 AM

тАО11-15-2010 12:26 AM

Re: /etc/resolv.conf file always be changed automatically

Is your system configured to use DHCP instead of using static IP address? Perhaps your DHCP server requires the system to renew address leases daily, and the lease includes DNS configuration.

(Check /etc/rc.config.d/netconf; if it says DHCP_ENABLE[x]=1 where x is the number of an interface configuration block, then DHCP is in use. Then check the timestamp of /etc/dhcpclient.data: if it's updated at 5:00am too, then )

Please read "man dhcpdb2conf" to see a list of things DHCP can affect. In addition to network interface settings, it includes several things in files /etc/resolv.conf, /etc/rc.config.d/namesvrs and /etc/rc.config.d/netdaemons.

MK
MK
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 12:27 AM

тАО11-15-2010 12:27 AM

Re: /etc/resolv.conf file always be changed automatically

Hi Horia,
It is a server and it does not use DHCP , the server IP is static IP . But can you tell me how to check DHCP in the server ? I cannot find the configuration file under /etc/rc.config.d

Thank you!
Diaoxin
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 12:32 AM

тАО11-15-2010 12:32 AM

Re: /etc/resolv.conf file always be changed automatically

Hi MK,

It is static IP in the server , and I find DHCP_ENABLE[0]=0 in /etc/rc.config.d/netconf file .

Thank you!
DiaoXin
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-15-2010 01:45 AM

тАО11-15-2010 01:45 AM

Re: /etc/resolv.conf file always be changed automatically

>But can you tell me how to check DHCP in

Run:

ps -e |grep dhcp

This would tell you if the dhcp daemon is running or not.

Best regards,
Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 01:49 AM

тАО11-15-2010 01:49 AM

Re: /etc/resolv.conf file always be changed automatically

Hi Horia,
Ok , thanks.
No dhcp process found in the server.

Diaoxin
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-15-2010 01:52 AM

тАО11-15-2010 01:52 AM

Re: /etc/resolv.conf file always be changed automatically

Run this:

ps -e |grep boot

This server is part of a cluster?

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 01:55 AM

тАО11-15-2010 01:55 AM

Re: /etc/resolv.conf file always be changed automatically

Hi Horia,
No , it is not cluster.

DiaoXin
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-15-2010 02:14 AM

тАО11-15-2010 02:14 AM

Re: /etc/resolv.conf file always be changed automatically

How about bootp? Is it running?

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
Matthew Darcy_2
Frequent Advisor

тАО11-15-2010 04:38 AM

тАО11-15-2010 04:38 AM

Re: /etc/resolv.conf file always be changed automatically

what about some sort of IDS like tripwire,

are you changing the file, tripwire (or something) is being run as a scan at 5:00 detecting the change as a monitored file and changing it back.

I've been caught with that before in the past on high security machines, I was only alerted to it when the security team kept getting triggers of file changes.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 05:52 PM

тАО11-15-2010 05:52 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Horia,
bootp is not running on the server.

DiaoXin
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-15-2010 05:56 PM

тАО11-15-2010 05:56 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Darcy,
I can not find IDS under /opt , and find nothing related to ids when I run "swlist ".
For tripwire, how can I know whether tripwire or the other tool installed ?

Thank you!
DiaoXin
0 Kudos
Reply
TTr
Honored Contributor

тАО11-16-2010 06:55 AM

тАО11-16-2010 06:55 AM

Re: /etc/resolv.conf file always be changed automatically

Did you check that this is not happening from another server as I pointed out above? You checked every other suggestion except mine.

Check the root's home directory and see if there is a .rhosts file that would allow remsh or rcp to run from another server and copy over the resolv.conf file.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.