No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Password Is Maliciously Changed After an OSN Is Shared Using NFS

Publication Date:  2014-09-23 Views:  161 Downloads:  0
Issue Description
•Product involved: CSS-F
•Product version: CSS-F V001R001C01

Symptom 1: The OSN shared using the NFS can be pinged but cannot be logged in to using the given password. The login attempts failed several times and the OSN maps the public IP address 112.64.16.68.

Symptom 2: The OSN is logged in to successfully using SSH after its password is changed using the ISM. It is found that the device that logged in to the OSN last time uses an unauthorized public IP address.


Note: It is found that the IP address is used by a malicious website.


Symptom 3: When the OSN is being logged in to using the SSH after its password is changed using the ISM, the prompt asking you to enter the password is displayed after seven seconds. After the route command is run on the OSN, items in the routing table are slowly printed every 3 to 5 seconds. This problem persists after the network and the OSN are restarted.

Symptom 4: After the tcpdump -i bond0 -n not port 22 command is run to check details, it is found that packets are sending to all related ports. The OSN maps the public IP address 112.64.16.68.



Alarm Information
None

Handling Process
  1. If the root password is changed, choose “Resources > Storage > Cloud Storage Systems > Storage Domain > Domain Nodes > Change Root Password” on the ISM to change the password.
  2. If commands ssh, route, and netstat respond slowly, check the “/etc/resolv.conf” file. If any content is added to the file, delete the content and keep the file blank.
  3. If any suspicious packets are sending to related ports, check public IP addresses. Configure firewall to suppress all malicious public IP addresses. Do not expose the OSN to the public network.

     
Root Cause
Cause of symptom 1: The OSN password is changed by a malicious website.
Cause of symptom 2: The malicious website is discovered after the login to the OSN using the new password changed on the ISM.
Cause of symptom 3: Commands ssh and route take a long time to respond after being executed.
The slow response of the route command is not caused by the modification of the routing table. This problem is in fact caused by the modification of file “/etc/resolv.conf”.
[admin@D1_OSN5 20:38:48 /etc]# cat resolv.conf
nameserver 8.8.8.8

Normally, the “/etc/resolv.conf” configuration file in the operating system is blank. If the file is incorrectly configured, commands ssh, route, and netstat will respond slowly. In this case, the “/etc/resolv.conf” file is not blank but with content added. The modified file sets the OSN to be a DNS client that uses the DNS server 8.8.8.8, which is the public DNS server provided by Google. When the SSH is used to access the OSN, the DNS server resolves domain names based on the modified “/etc/resolv.conf” file. However, the DNS server's access to IP addresses is slow (or temporarily unreachable). Therefore, multiple domain name resolving attempts fail, causing the access timeout.
Cause of symptom 4: The OSN maps a public IP address that must be suppressed.




Suggestions
  1. Do not expose the OSN to the public network.
  2. In a preventive maintenance, log in to all nodes to check their login passwords. Login password changes cannot be detected by the ISM.
  3. Check the “/etc/resolv.conf” file when commands ssh, route, and netstat respond slowly.


     

END