Operating System - HP-UX
1833780 Members
2262 Online
110063 Solutions
New Discussion

Virus Attack or Have I been Hacked?

 
CHRIS_ANORUO
Honored Contributor

Virus Attack or Have I been Hacked?

I CANN'T LOG INTO MY SERVER FROM ANY WHERE (INCLUDING CONSOLE), BOTH TELNET AND RLOGIN ARE NOT WORKING!
AND THE SYSTEM DISK ARE SHOWING BUSY BLINKING LIGHT, THE LCD HAS JUST F13F ON DISPLAY.
HOW CAN I GO INTO THE SERVER TO CHECK THE DIRECTORIES. SINCE CONSOLE LOGIN IS NO LONGER WORKING. WHEN I RUN 'HPUX LL' AT ISL>, IN SEE THAT ALL IDS IN /STAND WERE CHANGED TO USER AND GROUP ID NUMBERS. VMUNIX, SYSTEM AND THE *.PREV FILES ARE ALL ZERO. THEY GUYS AT SECURITY-ALERT@HP.COM WERE NOT OF HELP.
HAS ANY BODY SEEN THIS?
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
7 REPLIES 7
Victor BERRIDGE
Honored Contributor

Re: Virus Attack or Have I been Hacked?

No nothing like, perhaps on a AIx a have I couldnt do a mksysb the reason was a patch (or someone) did a diff of the directoy where the kernel was > the kernel...
I would try to recuperate by ftp if you can important config files like passwd hosts ...
onto pc or non HPUX system, to see if there is an explanation, again if ftp works, try to put a kernel, get rid of the resolver and try to boot as a stand alone machine then have a look inside...
I know its not much of an help for now, just think we are with you, keep in touch and if we have better ideas, we shall submit them...
All the best
Victor
MARTINACHE
Respected Contributor

Re: Virus Attack or Have I been Hacked?

I had the same probleme after a patch.

rlogin didn't work but remsh YES

Could you try something like this :

remsh BADHOST -n "export DISPLAY=GOODHOST:0.0;xterm"

Regards,

Patrice.
Patrice MARTINACHE
Paula J Frazer-Campbell
Honored Contributor

Re: Virus Attack or Have I been Hacked?

Chris
Is this situation after a reboot?

It sounds like that the server loading has gone through the roof and processor time is not being given to telnet -etc.

You have to my mind two options :-
1. Leave it and see if it gets better.
2. Hit the big red button (as I would do) bring it to a stand still - disconnect network/comms and reboot.

Good luck

Paula.
If you can spell SysAdmin then you is one - anon
CHRIS_ANORUO
Honored Contributor

Re: Virus Attack or Have I been Hacked?

Thanks, Actually this problem happened on 14/11/2000 and I had the system up and running in 2hrs. I recovered with the IUX recovery tape and updated with the lattest backup. I just wanted to know if anybody have had a similar experience. Lesson is - have a good recovery media and updated backups.

Thanks
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
CHRIS_ANORUO
Honored Contributor

Re: Virus Attack or Have I been Hacked?

Thanks, Actually this problem happened on 14/11/2000 and I had the system up and running in 4hrs. I recovered with the IUX recovery tape and updated with the lattest backup. I just wanted to know if anybody have had a similar experience. Lesson is - have a good recovery media and updated backups.

Thanks
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
Patrick Wallek
Honored Contributor

Re: Virus Attack or Have I been Hacked?

I am not surprised that you saw ownership of the files in /stand as a UID of 0. That is normal. Since you were at the ISL (?) prompt, /etc had not been mounted yet, hence no resolution of UID/GID to their normal names.

All files ownership and group properties are stored as the numeric UID/GID number. When you do an ll when the system is running normally, the UID/GID numbers get converted automatically to their normal names.

The UID of 0, which you saw in /stand is the UID for the root user. All of /stand should be owned by root.
CHRIS_ANORUO
Honored Contributor

Re: Virus Attack or Have I been Hacked?

All the /stand file sizes where zeroed.
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.