- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Need guidance locating source of massive file dele...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2001 06:00 PM
09-29-2001 06:00 PM
This system is one of dozens of UNIX servers behind the corporate Internet firewall and we have NO reason to believe this attack is coming from outside the corporation; we believe it to be an inside job done via a Trojan Horse that has suddenly sprung itself upon us (twice in 2 days).
Fortunately we had a session logged in from the system console, thereby affording us the opportunity to recover from our latest make_recovery tape. Once that had been accomplished, we used NetBackup to restore the /home filesystem contents from the very latest full & incremental backups. Of course, this wipes out any evidence that might have remained from the attack.
After the recovery we swept the system (in fact all systems) with a "find / -perm -4000 -type f" looking for obvious setuid programs but no easily recognizible candidates can be seen (which is what I guess one should expect from a hacker).
After having the event occur 24 hours and 30 minutes after the first attack, we are not inclined to recover in the same manner but instead rebuild after a cold install. However, while that might eliminate the source of the problem, I'll probably never know for sure what caused it. So, in summation, I guess I'm looking for advice on how I might locate the source of the comprimised system before I wipe everything out and start from scratch.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2001 12:52 AM
09-30-2001 12:52 AM
Solution1. Turn on auditing! - and set on audit events for file deletion. This way after it happens again you can find the user/pid of the process doing it.
2. Have a job which runs constantly doing a ps -elf and sending the output to a file on a remote system. You could also grep for rm or find commands and if these come up issue an immediate alarm (echo > console). Run it every 30 secs or so. This is easier than using auditing and should help you catch the culprit in the act.
Good luck and let us know what you find please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2001 11:24 PM
09-30-2001 11:24 PM
Re: Need guidance locating source of massive file deletions
Have you looked at the .sh_history and all cron jobs.
Have a look at lastb and last for high level users.
Do netstat -r and look strange routes.
Do a who who -b -r and look at time stamps.
HTH
Paula
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2001 08:48 AM
10-05-2001 08:48 AM
Re: Need guidance locating source of massive file deletions
rm -rf ${DeleteDir}
When DeleteDir may potentially be empty)
I think this is more likely to be due to human/program error than due to a malicious attack...
dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2001 10:18 AM
10-05-2001 10:18 AM
Re: Need guidance locating source of massive file deletions
encapsulate the rm command in a script that checks the number of files to be deleted. Anything over x number of files triggers a page to your beeper, logging all appropriate info and a request for password to complete the operation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2001 10:26 AM
10-05-2001 10:26 AM
Re: Need guidance locating source of massive file deletions
Everything was fine with the recovery, as was everything else, until that next morning. Again everything went poof. Again we did a recovery.
This time though, I knew we had a very bad job running that was toasting our filesystems. I finally found it, and I was actually the one that caused it to trigger it in the first place. Three days prior, I was deleting garbage from the /tmp directory (well I thought most of it was garbage). It appears I deleted a directory a few levels below /tmp that a cron was trying to "cd" to, to clean up temporary files. But, because I had removed that sub-directory, the 'cd' failed, and the "rm" started at "/" and started deleting files. Therefore, you might want to look at cron and "at" jobs that have "rm" in them, but you also need to look at all scripts that might be executing "rm"'s.
good luck!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2001 10:27 AM
10-05-2001 10:27 AM
Re: Need guidance locating source of massive file deletions
Everything was fine with the recovery, as was everything else, until that next morning. Again everything went poof. Again we did a recovery.
This time though, I knew we had a very bad job running that was toasting our filesystems. I finally found it, and I was actually the one that caused it to trigger it in the first place. Three days prior, I was deleting garbage from the /tmp directory (well I thought most of it was garbage). It appears I deleted a directory a few levels below /tmp that a cron was trying to "cd" to, to clean up temporary files. But, because I had removed that sub-directory, the 'cd' failed, and the "rm" started at "/" and started deleting files. Therefore, you might want to look at cron and "at" jobs that have "rm" in them, but you also need to look at all scripts that might be executing "rm"'s.
good luck!
Also, if it's not a big deal, rename "rm" to "RM".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2001 10:32 AM
10-05-2001 10:32 AM
Re: Need guidance locating source of massive file deletions
Thank you all for your insightful replies. We've learned many lessons from this unfortunate episode, including not to prejudge a situation. Indeed, we looked at the script that was the culprit, but we were looking for evidence of tampering and ignored the need to look for a logical way it could suddenly turn against us purely by happenstance.
Thanks again...Ray
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2001 02:25 PM
11-02-2001 02:25 PM
Re: Need guidance locating source of massive file deletions
Install IDS/9000, HP's host-based intrusion detection system. It will monitor your system and can tell you immediately when someone deletes even a single file from a critical directory (for your definition of critical).
You run an agent on the server in question and a GUI monitoring the agent on the same or a different machine. Alerts will be sent to the GUI, and logged to a local alert log file. The alerts will contain the following information:
- who did it
- when did they do it
- what file did they touch
- what program did they run
- how was it invoked
- what arguments were passed to the program
In addition, you can configure an automated response script to kick in as soon as IDS/9000 detects that someone deleted a file. The script (for version 1.0) lives in /opt/ids/bin/ids_alertResponse. The script is passed the details of the alert on the command line.
In this example you could instantly kill the process that is deleteing files, or you can restore the files/dirs from a CD as the attacker deletes them!
Email me at mark_crosbie@hp.com for more information.
IDS/9000 is available from http://software.hp.com (product J5083AA) and details are at http://www.hp.com/security/products/ids
Version 2.0 is coming out soon...
Regards
Mark
--
Mark Crosbie IDS/9000 Product Architect
http://www.hp.com/security/products/ids