HPE Community
Operating System - HP-UX
1836623 Members
2141 Online
110102 Solutions
New Discussion

Re: Several key files in /etc rwritten EMPTY!

 
SOLVED
Go to solution
Ken Englander
Regular Advisor

‎09-19-2008 11:04 AM

‎09-19-2008 11:04 AM

Several key files in /etc rwritten EMPTY!

The following files were wiped out - new empty files were left in their place.

/etc/inittab, /etc/inetd.conf, and /etc/MANPATH

The system is running HP-UX 11i v3 - Mar08.

Anyone seen anything like this?

Any ideas on a way to figure this out if it happens again or a suggested way to prevent and/or detect it.

I know I can make good copies and set up a cron job to monitor the files, but I am not sure how I might detect the cause of the problem.

Thanks!
0 Kudos
7 REPLIES 7
Court Campbell
Honored Contributor

‎09-19-2008 11:11 AM

‎09-19-2008 11:11 AM

Re: Several key files in /etc rwritten EMPTY!

Well the person who did it more than likely had root access. You can try to check logs and see if you have any su or sudo logs that show someone switching to root. You can also look at the history file and see if that provides any info. Probably the better way to track this would be with hp-ux hids, tripwire, or aide.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Ken Englander
Regular Advisor

‎09-19-2008 11:23 AM

‎09-19-2008 11:23 AM

Re: Several key files in /etc rwritten EMPTY!

How do I find out more about those tools?

I would suspect an errant program more likely than a human since the systems have limited access. However, it might make sense to restrict root access so su must be used, but that is not setup at this time.
0 Kudos
Tim Nelson
Honored Contributor

‎09-19-2008 11:55 AM

‎09-19-2008 11:55 AM

Solution

Re: Several key files in /etc rwritten EMPTY!

HIDS and Tripwire can be found on software.hp.com ( I think tripwire is on the InternetExpress CD ).

Both are freeware.

Tripwire is more for monitoring network traffic and HIDS for monitoring file changes. They would not lock the change out ( I do not think) but you would be notified of the change and perhaps be able to roll-back a copy of the file.

docs are on docs.hp.com

0 Kudos
Kenan Erdey
Honored Contributor

‎09-19-2008 12:48 PM

‎09-19-2008 12:48 PM

Re: Several key files in /etc rwritten EMPTY!

Hi,

if you want to try to find out manually, i a script you can check modification date is changed in an infinitive loop. is changed using lsof process can be found. but i am not sure you can get the process after condition is true (file is changed)

Kenan.


Computers have lots of memory but no imagination
0 Kudos
VK2COT
Honored Contributor

‎09-19-2008 05:04 PM

‎09-19-2008 05:04 PM

Re: Several key files in /etc rwritten EMPTY!

Hello,

Firstly, if we do not suspect hacking
activity (that includes admins who
have privileges but are clueless as
far as Unix is concerned),then maybe
your root file system is full. I have
seen truncated files when someone
is attempting to save them but there is no space.

Since you run HP-UX 11.31, why not go a step
ahead as well:

a) Configure Dynamic Root Disk cloning

b) Install HIDS, AIDE and/or Tripwire
I used AIDE and Tripwire when I worked
on joint projects with competitors
(IBM, CSC, EDS) to ensure that nobody
can make modifications without ALL
OF US KNOWING ABOUT THEM. It was not a
matter of mistrust but simply a good
housekeeping duty.

Also, I hope you do not share root account
with others. If so, then configure
Role Based Access Control.

For now, I would not trust your server.
A rebuild is the only proper way to go
forward.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Dennis Handly
Acclaimed Contributor

‎09-19-2008 08:59 PM

‎09-19-2008 08:59 PM

Re: Several key files in /etc rwritten EMPTY!

>I would suspect an errant program more likely than a human

The only changes to /etc/MANPATH should occur when using swinstall/swremove on products that add themselves to MANPATH in the control scripts.
0 Kudos
Ken Englander
Regular Advisor

‎09-25-2008 09:33 AM

‎09-25-2008 09:33 AM

Re: Several key files in /etc rwritten EMPTY!

I know one more important detail now - the problem seems to have occurred during the installation of CDE - the system actually failed in the middle of the install.

The problem has been repaired so there is no way to examine the problem scenario other than possibly logs leftover.

Thanks all for your input!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.