IBM i – Beware of "shares" (IFS and Ransomware)

No… we are not talking about Nielsen ratings, but about shared IFS directories … they could be infected with viruses and malware coming from PC and other server and OS and even cause problems for our solid IBM i.

Let’s get to the point of this specific situation: a client of mine calls me on the phone worried because, after spending the weekend trying to stem a damned ransomware virus circulating in the company, some features of IBM i no longer work. Damn, as if we didn’t have enough viruses in this period!

I connect to the system and get some problems with HTTPGETCLOB, HTTPOSTCLOB functions widely used for Web Services from the IBM i world, strange errors return and the Joblog reports error messages when calling some Java functions from SYSTOOLS.

Going deeper I find that Java doesn’t work either … I finally get to the offending folder “/ QIBM / ProdData / OS400 / PASE / bin / java” which contains an imported number of files with the .laChiffre extension.

  • Panic moments!
  • The virus (ransomware) has gone up to that / QIBM / … folder
    • But the IBM i (indeed, the AS400 … how angry you are back to being the AS400 and not the IBM i … it’s like when children do something they don’t have to … they are always “your children” if you turn to your wife!) cannot be attacked by viruses.
    • The cursed had gone so far and attacked the JAVA folders blocked everything based on that, such as the HTTP functions of SQL and other nice things.

Can a virus also damage IBM i?

(The last famous words …)

Don’t worry!

AS400 cannot be attacked by viruses!


Going deeper we found some shares with read-and-write authorities and in particular, a / QIBM directory that nobody remembers having ever shared or used. I check some other customers’ IBM i and find two shared folders everywhere, in some cases they are read and in others even read / write. Damn, it must be some old IBM i default or someone has even voluntarily activated writing for some reason in the past … but it is a fairly widespread situation (at least among my clients).

The two offending directories are:

  • / QIBM / ProdData / OS400 / DirSrv
  • / QIBM

The first one is a sharing for LDAP-like functions for IBM i if managed by tools on the PC side … in 90% of cases useless

The second one, the / QIBM, much more dangerous is probably an old reminiscence of the past, I personally believe I have never used it, but it is shared there and attacked by the damned viruses and ransomware.

Fortunately, there were all backups from the client and the offending directories were restored from the backup.

In this case, for the “la Chiffre” ransomware it was also quite simple because the cursed renames all the files it attacks with the “.laChiffre” extension, therefore from Qshell

find / -name 'laChiffre' -print

Index

Advice:

I invite you to check or have your system administrator check the shares of the IFS and do a good cleaning and, while you’re at it, also make a check on saving the IFS itself, often forgotten in the backup procedures.

There are also antivirus and antimalware solutions for IBM i, it may be worth taking some information about it.

In the image below the / QIBM is shared as read-only … which may be fine, the DirSrv is instead read-write… if you don’t need to end sharing … then there are other directories, those of PTFs or images of the operating system … even these would be better to end them or put them only for reading and enable them when needed!

Related Posts
DB2 for i SQL – String Manipulation – POSSTR-LOCATE-LOCATE_IN_STRING (EN)

Introduction Often, in our applications, we need to work with text strings, and DB2 SQL can come in very useful Read more

DB2 for i – FAQ & Howtos (EN)

DB2 Database and SQL ... maybe the most important things on IBM i platform: here's a collection of FAQs, tips Read more

IBM i 7.4 Announcement (En)

Comes directly with the Easter egg this IBM announcement for the news of the IBM i 7.4 version, iNext version Read more

Generated Always Columns (EN)

Introduction "Generated Always Column": are columns, table fields, filled by DB2 engine: something like columns with a default value but Read more

--- Roberto De Pedrini Faq400.com

View Comments

Recent Posts

Managing Locked Display Files on IBM i: An Effective Solution

We are pleased to receive and share this "tip & trick" from Patrick Rizzi, which introduces a technique that allows…

2 weeks ago

Monitoring QSYSOPR Messages: SQL to Retrieve Messages and Replies

I take inspiration from a response by Michael Mayer on the Midrange.com mailing lists to someone who asked how to…

2 weeks ago

Why ERP is the Key to Success for Modern Businesses

Businesses are increasingly seeking tools to enhance efficiency, collaboration, and resource management. Enterprise Resource Planning (ERP) systems provide a comprehensive…

2 months ago

ACS Access Client Solution 1.1.9.5

Early April saw the release of the "Spring Version" of ACS Access Client Solution, version 1.1.9.5 Interesting new features especially…

7 months ago

Tim Rowe and Scott Forstie for CEC 2024 – Milan

If the packed agenda of sessions at Common Europe Congress 2024, June 3-6 Milan, wasn't enough for you, here's another…

7 months ago

Code for IBM i 2.10.0 – Debug IBM i App with Visual Studio Code

Debugging functions with Visual Studio Code have been available for some time but this new version 2.10.0 simplifies the handling…

7 months ago