Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

root files been deleted!!

Status
Not open for further replies.
robert3975

robert3975

MIS
Oct 22, 2004
26
Any one who can give me some poniters gets a gold star!!

Yesterday around lunch time started to have quite a few users phone to say they could get access, however others where still on the machine.

I thought it may be a Cron run or even worse I had been hacked!! It sure its not the second as a hacker would have done more damage also I had a backup of the files so it was more of an inconvience than anything. Any how is there any good commands I can use to try as see what has caused this? or an approch to take at the moment I quite open minded as to how this has happened...

Ps its dg/ux machine ( I know its not solaris but as we sing from the same hymn sheet I thought you guys could help.)

Thanks Robert
 
Sort by date Sort by votes
Do you have a /var/adm/messages file to look at - there may be clues there. Was there anything in cron which looked a candidate for this problem? What exactly was the damage? Do you have a .sh_history or similar which you can examine for clues?

Sorry - more questions than answers at this stage, but post back with some more info. and I'm sure someone will be able to help.

 
Upvote 0 Downvote
two hint's: rootkit or setuid scripts to run rm as other users?

you can run pkgchk (on Solaris) to check if the files are just as pkgadd installed them, maybe you have something similar?



Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years
 
Upvote 0 Downvote


(Re current problem,
post a log at malwareremoval.com )

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
I agree with DaFranze most likely it was either rootkit or a setuid script. Unless you have sudo or rbac setup for specific users. I would check out or That is pretty much a tool to look for those kind of files. Especially since you said you restored off backups you might still have those infected files.

You can also run a find looking for setg/uid I am doing this off the top of my head so double check before you try it.

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

Also check your /etc/passwd for accounts that have a UID of 0.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tekmhe
  • Locked
  • Question
Using a PC, how to delete files from a Sunblade 150 IDE drive?
Replies
3
Views
546
SamBones
SamBones
egyassun
  • Locked
  • Question
SunOS confusing root directory and user home directory 1
Replies
4
Views
800
egyassun
egyassun
bluedragon2
  • Locked
  • Question
tesxt files becoming data files
Replies
6
Views
371
bluedragon2
bluedragon2
forrie
  • Locked
  • Question
Determining space occupied by files x days old on shared ZFS filesystem, different mount points
Replies
0
Views
254
forrie
forrie
Raju12
  • Locked
  • Question
root disk
Replies
0
Views
203
Raju12
Raju12

Part and Inventory Search

Sponsor

Back
Top