Re: IFS share /QIBM and /QIBM/ProdData/OS400/DirSrv

Hello Roberto,

Am 27.02.2020 um 11:32 schrieb Roberto De Pedrini <roberto.faq400@xxxxxxxxx>:

A lot of problems, Java doesn't start, HTTPGETCLOB functions stop working
and other nice things ... 2 days of hell for IT department.

Sounds like complete IFS restore from backup is next.

This is a very good chance to (after everything's running again) review security measures and recovery action plans. Unfortunately, many shops/companies aren't prepared to deal with such a successful attack.

Checking on the IBM i we found some default directories share, like /QIBM,
/QIBM/ProdData/OS400/DirSrv

I look at my other IBM i systems and everyone has the same default shared
directories ...

1) Why this default?

Maybe because IBM suggests client access install directly from there. If this is still a thing today with everything browser-based. Maybe more but that's just guesswork. That these directories can be accessed read/write is probably not a good default.

2) Can I stop these shares?

I guess through the same means as you create new shares. If you don't need any CIFS access to IFS, you can also stop the CIFS server. More details on request.

3) There's some kind on antivirus solution for IBM i?

How's that supposed to help? Shares are just like local disks to any client. The clients must prevent evil programs to access stuff. How's any file server supposed to know if accessing (reading from/writing to) a share is legit or not?

:wq! PoC

PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc