From your descriptions, I would assume you have been hacked already. You should take immediate steps to close down the system and look for evidence of security breaches. Start with a new root password, then run pwck and grpck and look for duplicate UID numbers or other warnings.
Normally, a sophisticated hacker will install a 'root kit' once they have broken in. This kit replaces key programs such as login, syslogd, passwd, and so on. syslog.log is one of the first files to be compromised as it tracks (or can track) a lot of system activity.
Shutdown /etc/inetd.conf by removing/commenting-out all unnecessary services. A starting point is to leave only:
ftp telnet auth echo
then make sure /var/adm/inetd.sec has restricted ftp, echo and telnet to specific ranges of IP addresses. You can leave auth open to all. Run inetd -c to re-read the above changes.
Check /etc/syslog.conf date: is it recent? If so, it may have been hacked to eliminate logging of certain events. If you aren't logging ftpd, consider turning that on in inetd.conf (and check all other daemons for logging options). Save a copy of syslog, btmp, wtmp, sulog and shutdownlog on a secure system. Use last and lastb to decode logins and attempted logins. Look in shutdownlog for unauthorized reboots (most machines are hacked from the inside simply by forcing a reboot into single user mode--only physical access is needed to the console)
Consider echoing all syslog events to a separate, more secure server. This is done in syslog.conf by replacing a specific filename with (or appending to) @ remote.system.com or whatever. This gets the info off the affected server.
Consider running swverify against the HP-UX packages to see if altered binaries have been installed.
Take a look at RFC 1244 which is a detailed (but somewhat dated). For all RFC's go to:
http://www.faqs.org/rfcs/, or specfically:
http://www.faqs.org/rfcs/rfc1244.html for the security document.
You mentioned your firewall..contact the vendor to see if vulnerabilities have been reported and if there is an update. Replace any machine used as a firewall if it does not have a subscription service to update to the latest level of protection.
HP offers a new security product called the Praesidium Intrusion Detection System or IDS/9000. It runs on HP-UX version 11 and higher.
This short answer is in no way a complete guide to handling security issues. Definitely get as much information as you can and consider company-wide policies and procedures immediately (those hot projects can wait).
Bill Hassell, sysadmin
