HPE Community
Operating System - HP-UX
1833882 Members
3458 Online
110063 Solutions
New Discussion

Re: How to see unauthorized intrusion into Hp boxes

 
Yusuf Yila
Occasional Contributor

‎06-08-2007 12:44 AM

‎06-08-2007 12:44 AM

How to see unauthorized intrusion into Hp boxes

We have 2 Itaniums rx 8640 and 2 Hp rx 7420, my DBA tells me he feels someone shutdown some services on the Oracle e-business suite ERP application this morning. How can we check to find out ?
Thanks
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎06-08-2007 12:47 AM

‎06-08-2007 12:47 AM

Re: How to see unauthorized intrusion into Hp boxes

Shalom,

logs:

/var/adm/syslog/syslog.log

That and the keyboard histories should start the investigation.

Ask the DBA for screen shots or logs with evidence. An oracle defect or missing OS patches could just as easily have caused this.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎06-08-2007 12:49 AM

‎06-08-2007 12:49 AM

Re: How to see unauthorized intrusion into Hp boxes

Shalom,

Sorry I forgot. For the next intrusion this software might be helpful.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

Also, now that I actually use two brain cells at the same time, I'd say reset the passwords on all the oracle binary owners and be careful handing them out.

Since its an oracle shutdown the oracle logs are the best place to look.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Yusuf Yila
Occasional Contributor

‎06-08-2007 01:08 AM

‎06-08-2007 01:08 AM

Re: How to see unauthorized intrusion into Hp boxes

syslog does not contain any meaninful information. Th elast login by root is not even logged there. Is it possible that it is not turned on ?
0 Kudos
Reply
Oviwan
Honored Contributor

‎06-08-2007 01:15 AM

‎06-08-2007 01:15 AM

Re: How to see unauthorized intrusion into Hp boxes

Hey

check with "last" whether there is a machine of a user who shouldn't be able to login, someone perhaps know the root, oracle etc.. password.

Regards
0 Kudos
Reply
Andrew Young_2
Honored Contributor

‎06-08-2007 01:19 AM

‎06-08-2007 01:19 AM

Re: How to see unauthorized intrusion into Hp boxes

Hi Yusuf

There are two possibilities. The first most unlikely is that they did this remotely. Looking at the tnslistner log will be a good start. But I agree with Steve that it would in most likely be something in a log file as Oracle are pretty verbose when it comes to logging these sort of things.

The other less likely option is that they logged on to the local servers to do this, but since it is 4 different servers unless your passwords are the same on all servers (no comment) this is unlikely. but you can use the last command to verify this. Also the sulog.

Regards

Andrew Y
Si hoc legere scis, nimis eruditionis habes
0 Kudos
Reply
spex
Honored Contributor

‎06-08-2007 01:21 AM

‎06-08-2007 01:21 AM

Re: How to see unauthorized intrusion into Hp boxes

Hello,

The following pathnames are based on Oracle 9i, so YMMV:

# who -u
to see who is currently logged in

# last -R -100
to see the last 100 valid logins

# lastb -R -100
to see the last 100 failed login attempts

# more /home/oracle/.sh_history
to view the command history for the oracle user (obviously, substitute the appropriate username for your system)

$ more ${ORACLE_BASE}/admin//bdump/alert_.log
to view the alertlog for

$ more ${ORACLE_HOME}/network/log/listener.log
to view connection history of Oracle listener

# find / -type f -mtime -1 -print
for a list of recently modified files on your system

PCS
0 Kudos
Reply
Yusuf Yila
Occasional Contributor

‎06-08-2007 02:30 AM

‎06-08-2007 02:30 AM

Re: How to see unauthorized intrusion into Hp boxes

Thanks, i would try and get back to you.
0 Kudos
Reply
Court Campbell
Honored Contributor

‎06-08-2007 02:38 AM

‎06-08-2007 02:38 AM

Re: How to see unauthorized intrusion into Hp boxes

What services does the dba feel where shutdown? What happened that lead him to infer this?
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.