IBM i - Beware of "shares" (IFS and Ransomware)

Last Updated on 28 February 2020 by Roberto De Pedrini

No… we are not talking about Nielsen ratings, but about shared IFS directories … they could be infected with viruses and malware coming from PC and other server and OS and even cause problems for our solid IBM i.

Let’s get to the point of this specific situation: a client of mine calls me on the phone worried because, after spending the weekend trying to stem a damned ransomware virus circulating in the company, some features of IBM i no longer work. Damn, as if we didn’t have enough viruses in this period!

I connect to the system and get some problems with HTTPGETCLOB, HTTPOSTCLOB functions widely used for Web Services from the IBM i world, strange errors return and the Joblog reports error messages when calling some Java functions from SYSTOOLS.

Going deeper I find that Java doesn’t work either … I finally get to the offending folder “/ QIBM / ProdData / OS400 / PASE / bin / java” which contains an imported number of files with the .laChiffre extension.

Panic moments!
The virus (ransomware) has gone up to that / QIBM / … folder
- But the IBM i (indeed, the AS400 … how angry you are back to being the AS400 and not the IBM i … it’s like when children do something they don’t have to … they are always “your children” if you turn to your wife!) cannot be attacked by viruses.
- The cursed had gone so far and attacked the JAVA folders blocked everything based on that, such as the HTTP functions of SQL and other nice things.

Can a virus also damage IBM i?
(The last famous words …)
Don’t worry!
AS400 cannot be attacked by viruses!

Going deeper we found some shares with read-and-write authorities and in particular, a / QIBM directory that nobody remembers having ever shared or used. I check some other customers’ IBM i and find two shared folders everywhere, in some cases they are read and in others even read / write. Damn, it must be some old IBM i default or someone has even voluntarily activated writing for some reason in the past … but it is a fairly widespread situation (at least among my clients).

The two offending directories are:

/ QIBM / ProdData / OS400 / DirSrv
/ QIBM

The first one is a sharing for LDAP-like functions for IBM i if managed by tools on the PC side … in 90% of cases useless

The second one, the / QIBM, much more dangerous is probably an old reminiscence of the past, I personally believe I have never used it, but it is shared there and attacked by the damned viruses and ransomware.

Fortunately, there were all backups from the client and the offending directories were restored from the backup.

In this case, for the “la Chiffre” ransomware it was also quite simple because the cursed renames all the files it attacks with the “.laChiffre” extension, therefore from Qshell

find / -name 'laChiffre' -print

Index

Advice:

I invite you to check or have your system administrator check the shares of the IFS and do a good cleaning and, while you’re at it, also make a check on saving the IFS itself, often forgotten in the backup procedures.

There are also antivirus and antimalware solutions for IBM i, it may be worth taking some information about it.

In the image below the / QIBM is shared as read-only … which may be fine, the DirSrv is instead read-write… if you don’t need to end sharing … then there are other directories, those of PTFs or images of the operating system … even these would be better to end them or put them only for reading and enable them when needed!