General discussion

  • Creator
    Topic
  • #2073700

    Possible Virus Infection or OS event

    Locked

    by stefanj ·

    I have a client who operates a 20 node network with a server appliance call Nexserver by Syrinex. http://www.syrinex.com

    This box uses a Linux 2.0 based OS. Recently aproximatley 90 percent of the data file on it’s drive have been switched to READ ONLY. There are no features in the OS to make changes to the attributes of all files at one time. This activity is suspicious enough to warrant the search for a virus. Well…no viruses turned up in the scan. Tell me what you think. I have engineers at Syrinex trying to figure this on out to no avail.

    Good Luck and Thanks

    Stefan Wynn Jones
    ACE-TECH COMPUTER
    412-221-8005 EXT 107

All Comments

  • Author
    Replies
    • #3894884

      Possible Virus Infection or OS event

      by jesalyer ·

      In reply to Possible Virus Infection or OS event

      I think you’re looking at either a security issue or a flat-out employee goof-up over at the client’s. Viruses are not the only thing that can eat data like Pac-man eats dots.

      I probably would not have thought these unkind thoughts, except you yourself used the word ‘suspicious’.

      jeff s
      spanish helpdesk technician

    • #3894820

      Possible Virus Infection or OS event

      by mckaytech ·

      In reply to Possible Virus Infection or OS event

      I can’t comment on the Syrinex implementation of Linux but I run a server based on the Linux 2.0.36 kernel and one certainly can make changes on large numbers of files by running CHMOD recursively.

      The other thought I had is that there is a default set of file permissions determined by the umask. If the umask got set to establish read-only permissions as the default, then all new files created after that point would be read-only.

      My guess would be the ubitquitous “Operator Error”. I know that as a Net Admin, I should be more paranoid and suspicious but I try not to attribute to malevolence that which was only ignorance. But I would want to re-visit the permissions and pay particular attention to the integrity of the root account.
      paul

      Paul M. Wright, Jr.
      McKay Technologies

    • #3778027

      Possible Virus Infection or OS event

      by jpereira ·

      In reply to Possible Virus Infection or OS event

      Partitions can be mounted read only as well. This is usually only if something goes horribly wrong, e.g. it fails to fsck and somebody deliberately mounts it to recover the data.

      This is probably not your problem because you’d expect to see all sorts of horrible problems other than just “all the files are read only.”

    • #3774947

      Possible Virus Infection or OS event

      by mutated ·

      In reply to Possible Virus Infection or OS event

      The most probable cause for this is someone using a chmod -R (recusive)by mistake, I would check everyone who has access to this .bash_history first to see if you can find evidence of this here. It is also possible that this has been done malicously, so if you find no evidence in .bash_history you may want to review your other system logs

    • #3754713

      Possible Virus Infection or OS event

      by stefanj ·

      In reply to Possible Virus Infection or OS event

      This question was auto closed due to inactivity

Viewing 4 reply threads