No… we are not talking about Nielsen ratings, but about shared IFS directories … they could be infected with viruses and malware coming from PC and other server and OS and even cause problems for our solid IBM i.
Let’s get to the point of this specific situation: a client of mine calls me on the phone worried because, after spending the weekend trying to stem a damned ransomware virus circulating in the company, some features of IBM i no longer work. Damn, as if we didn’t have enough viruses in this period!
I connect to the system and get some problems with HTTPGETCLOB, HTTPOSTCLOB functions widely used for Web Services from the IBM i world, strange errors return and the Joblog reports error messages when calling some Java functions from SYSTOOLS.
Going deeper I find that Java doesn’t work either … I finally get to the offending folder “/ QIBM / ProdData / OS400 / PASE / bin / java” which contains an imported number of files with the .laChiffre extension.
Can a virus also damage IBM i?
(The last famous words …)
Don’t worry!
AS400 cannot be attacked by viruses!
Going deeper we found some shares with read-and-write authorities and in particular, a / QIBM directory that nobody remembers having ever shared or used. I check some other customers’ IBM i and find two shared folders everywhere, in some cases they are read and in others even read / write. Damn, it must be some old IBM i default or someone has even voluntarily activated writing for some reason in the past … but it is a fairly widespread situation (at least among my clients).
The two offending directories are:
The first one is a sharing for LDAP-like functions for IBM i if managed by tools on the PC side … in 90% of cases useless
The second one, the / QIBM, much more dangerous is probably an old reminiscence of the past, I personally believe I have never used it, but it is shared there and attacked by the damned viruses and ransomware.
Fortunately, there were all backups from the client and the offending directories were restored from the backup.
In this case, for the “la Chiffre” ransomware it was also quite simple because the cursed renames all the files it attacks with the “.laChiffre” extension, therefore from Qshell
find / -name 'laChiffre' -print
Index
I invite you to check or have your system administrator check the shares of the IFS and do a good cleaning and, while you’re at it, also make a check on saving the IFS itself, often forgotten in the backup procedures.
There are also antivirus and antimalware solutions for IBM i, it may be worth taking some information about it.
In the image below the / QIBM is shared as read-only … which may be fine, the DirSrv is instead read-write… if you don’t need to end sharing … then there are other directories, those of PTFs or images of the operating system … even these would be better to end them or put them only for reading and enable them when needed!
--- Roberto De Pedrini Faq400.comWe are pleased to receive and share this "tip & trick" from Patrick Rizzi, which introduces a technique that allows…
I take inspiration from a response by Michael Mayer on the Midrange.com mailing lists to someone who asked how to…
Businesses are increasingly seeking tools to enhance efficiency, collaboration, and resource management. Enterprise Resource Planning (ERP) systems provide a comprehensive…
Early April saw the release of the "Spring Version" of ACS Access Client Solution, version 1.1.9.5 Interesting new features especially…
If the packed agenda of sessions at Common Europe Congress 2024, June 3-6 Milan, wasn't enough for you, here's another…
Debugging functions with Visual Studio Code have been available for some time but this new version 2.10.0 simplifies the handling…
View Comments
I wrote about this issue on Midrange.com forum (https://archive.midrange.com/midrange-l/202002/msg00762.html).
Rob submitted an RFE to remove this default share /QIBM/ProdData/OS400/DirSrv.
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=140641