HPE Community
Operating System - HP-UX
1834249 Members
1949 Online
110066 Solutions
New Discussion

files deleted by a scheduled process

 
SOLVED
Go to solution
Olga_1
Regular Advisor

‎06-02-2003 05:45 AM

‎06-02-2003 05:45 AM

files deleted by a scheduled process

Hello,

Last week we had a bunch of files deleted from 3 HP boxes. We have changes all the passwords and enable auditing. This weekend similar thing happened. Auditing shows the deletion of files by the existing user and by ??????? user. The existing user password is known to 2 people. I think that the process was set up earlier to delete the files. I am not very knowledgeable in this area. What are other ways to set up such a process except cron. Thank you. I would appreciate any idea.
0 Kudos
Reply
8 REPLIES 8
John Meissner
Esteemed Contributor

‎06-02-2003 05:50 AM

‎06-02-2003 05:50 AM

Solution

Re: files deleted by a scheduled process

the command "at" is another scheduling system. also my company uses meastro to schedule things....
also the user could have a script running that sleeps or waits for a certain time.
All paths lead to destiny
Reply
James R. Ferguson
Acclaimed Contributor

‎06-02-2003 05:50 AM

‎06-02-2003 05:50 AM

Re: files deleted by a scheduled process

Hi Olga:

A daemon or a simple script which runs in the background, sleeps and periodically wakes up are possible candidates.

Regards!

...JRF...
Reply
Helen French
Honored Contributor

‎06-02-2003 05:56 AM

‎06-02-2003 05:56 AM

Re: files deleted by a scheduled process

Carefyllu observe the system log files, scheduled tasks such as cron, at etc. This file deletion will be possible from any application or process (which has permission, ofcourse!) by using a script. I would first see if this can be traced out, or see the error messages when you change the directory or file permissions. Check the failing daemons or process when you change the permissions. If this is OS files, donot change the permissions.
Life is a promise, fulfill it!
Reply
Steven E. Protter
Exalted Contributor

‎06-02-2003 05:56 AM

‎06-02-2003 05:56 AM

Re: files deleted by a scheduled process

My first reaction is.

eeeeeek!

You have a security problem.

First, sharing passwords is a bad idea among users because you don't know who did what.

cron is a root process. If a cron job is deleting files that will be cron not ??????? in the audit log.

If you are not sure if cron is doing it, shut down cron for a night if practical. If it does not happen you know where to look.

run crontab -l and run through by hand every job that runs in the window the mystery is happening.

Consider the following steps.

Tripwire.

software.hp.com has it and it can help catch security violators.

The rest of my standard security speel.

CIFS/9000

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B8725AA

Client
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B8724AA

Documentation:
http://www.docs.hp.com/hpux/onlinedocs/B8725-90003/B8725-90003.html

Security Post



Links:


security_patch_check: Checks your system and makes sure its up to date with security patches from HP
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA


Required Perl install

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Bastille: Security Hardening Tool

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

Secure Shell: a replacement for rcp ftp and telnet that encrypts passwords

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

IDS/9000 Intrusion Detection System which can track security breaches and attempted security breaches.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA

pam kerobos
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5849AA

random number generator
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=KRNG11I

Attached is Chris Vail's paper on how to set up passwordless services by exchanging public keys.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Dario_1
Trusted Contributor

‎06-02-2003 06:26 AM

‎06-02-2003 06:26 AM

Re: files deleted by a scheduled process

Hi!!
I will look to see if there is any "at" jobs scheduled, also look at the scripts that runs from cron to see if any of them are executing a rm. If you have any cleanup and/or housekeeping script, review it.

Regads,

DR
Reply
Zeev Schultz
Honored Contributor

‎06-02-2003 06:51 AM

‎06-02-2003 06:51 AM

Re: files deleted by a scheduled process

Privet Olga,
I would also check a possibility of
1)script inside a script (recursion style) -
sometimes harmless script can call to a harmfull one.
2)what kind of storage are the files deleted from,can this be a snapshot (hardware/software)
or a local device.

Good luck
So computers don't think yet. At least not chess computers. - Seymour Cray
Reply
Jordan Bean
Honored Contributor

‎06-02-2003 02:27 PM

‎06-02-2003 02:27 PM

Re: files deleted by a scheduled process

Perhaps a crontab file for a deleted user was left behind. Stop cron, delete the offending crontab from /var/spool/cron/crontabs, restart cron.
Reply
Dave La Mar
Honored Contributor

‎06-02-2003 04:38 PM

‎06-02-2003 04:38 PM

Re: files deleted by a scheduled process

Olga -
If you have verified crontab entries (be sure to check entries for all users in cron.allow), then, as others have stated:
1. Check for "at" jobs.
/var/spool/cron/atjobs

2. Look for a script running, sleeping, running.
ps -ef | grep sleep and check out those scripts.

3. Maybe more difficult, check for scripts calling scripts.

4. And last resort check history logs of users.

Hope you find this one fast.

Best regards,

dl

"I'm not dumb. I just have a command of thoroughly useless information."
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.