HPE Community
Operating System - HP-UX
1760365 Members
4345 Online
108893 Solutions
New Discussion юеВ

/etc/resolv.conf file always be changed automatically

 
TTr
Honored Contributor

тАО11-17-2010 07:56 AM

тАО11-17-2010 07:56 AM

Re: /etc/resolv.conf file always be changed automatically

If you have tcpdump installed, run tcpdump from 4:59am to 5:01am to see who is connecting to the server and at what port. This will tell you if the resolv.conf file is overwritten by an external process or not.

Verify the permissions of the file. It should be owned by root and have 644 (-rw-r--r--) permission mode. Therefore whatever is changing it is running as root.

Check if there is a batch scheduling tool installed other than cron.

Check if you have sudo installed and which users are allowed to run commands via sudo.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-17-2010 06:28 PM

тАО11-17-2010 06:28 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Alzhy,

But I can not find /var/cfengine in the server.

DiaoXin
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-17-2010 06:51 PM

тАО11-17-2010 06:51 PM

Re: /etc/resolv.conf file always be changed automatically

Hi TTr,
tcpdump is not installed .
I checked the permission of /etc/resolv.conf , it is 644 . and we use sudo in the server , but I find some users in sudoers file and I can not delete them because I am not sure whether they are necessary for some applications .
For the batch scheduler not cronjob , sorry I don't know how to check it in the server . Can you give me any ideas?
Diaoxin
0 Kudos
Reply
Anshumali
Esteemed Contributor

тАО11-17-2010 06:52 PM

тАО11-17-2010 06:52 PM

Re: /etc/resolv.conf file always be changed automatically

Check for root's login with last -R command and see from where there was an attempt to login.
Use HIDS to find out whats happening.
Tcpdump in that time is a good idea.
If its non-prod or if you can afford, take the network down for the said period and see if it happens just to isolate the cause being from n/w or local.
Think when the issue started and if you get a date/time, see what was changed if your change control is good.
Dreams are not which you see while sleeping, Dreams are which doesnt allow you to sleep while you are chasing for them!!
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-17-2010 10:11 PM

тАО11-17-2010 10:11 PM

Re: /etc/resolv.conf file always be changed automatically

>tcpdump is not installed .

You can install it from:

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/tcpdump-4.1.1/

Best regards,
Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-17-2010 10:17 PM

тАО11-17-2010 10:17 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Anshumali,
The " last " command can not works ,it shows the error "Invalid record size. Unable to continue ...".


diaoxin
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-17-2010 10:19 PM

тАО11-17-2010 10:19 PM

Re: /etc/resolv.conf file always be changed automatically

>"Invalid record size. Unable to continue

This means that you have a corrupted wtmp file.

You must do this:

cat /dev/null > /var/adm/wtmp

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-17-2010 10:23 PM

тАО11-17-2010 10:23 PM

Re: /etc/resolv.conf file always be changed automatically

Maybe in 11.23 you have to truncate both /var/adm/wtmps and /var/adm/btmps files

Just figure out which wtmp you have by running ls on /var/adm.

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
diaoxin
Frequent Advisor

тАО11-17-2010 10:25 PM

тАО11-17-2010 10:25 PM

Re: /etc/resolv.conf file always be changed automatically

Hi Horia,
I run the commands as below,

server# cat /dev/null > /var/adm/wtmps
server# last

WTMPS_FILE begins at Thu Jan 1 07:59:59


it works.

diaoxin
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО11-17-2010 10:26 PM

тАО11-17-2010 10:26 PM

Re: /etc/resolv.conf file always be changed automatically

You must truncate also btmps in order to keep the system information consistent.

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.