Any takers on a security issue

UNIX for Advanced & Expert Users
1

Hi All

 I have a issue 

 We have a server that the network configuration changed very recently, this unusual  and this has now turned in to a security incident.    Because I just finished verifying all logs

Su log, syslog, messages, sudosh.logs sudo,logs and I can�t find any trace of The ifconfig command which I should of seen,

I was wondering ifconfig does any writing to a file somewhere deep in the system

This is a Solaris 9 sparc system

Any clues no matter how far-fetched they seem

TTFN
Dan

2

Does the machine obtain any network information via DHCP?

3

Depending on the default shell on Solaris, you could grep every users (including root) history file for ifconfig commands.
Bash history file is ~/.bash_history and I think ksh is ~/.history
that MAY help

4

To corona688

Thks, But no this server receives no dhcp info

To wempy

There are only 6 admins with that can access this server

And I did check there history files with no joy. What I�m
Looking for is a file were the config might be written

Thank you all for the effort
Dan

5

Maybe you can simply do a search for the ifconfig command in every file in the file system, something like:

find / -exec grep -i ifconfig {} \;

Add other options to find as you see fit.

6

Hi Neo

I tried that. And came up with nothing I want to explore
Other ways or ways that this could have been changed with-out
Using iconfig
Dan

7

Your network configuration could also have been changed without using ifconfig. It might have been changed programmatically via another executable.

8

Hi fpmurphy

Can you expand on that

9

Hi All

I would like to thank all who put in their 2 cents worth

But I'm closing this thread unsolved for the moment. The organization
In this company is requesting a forensic team to investigate this situation
When the address is verified has to what domain answers to that ip

Let's just say it isn't pretty.

Again many thanks to all
Dan