Shut down those /QIBM shares

Last week I posed a question on Twitter and LinkedIn about what would actually be deleted if your IBM i /QIBM share was fully compromised by malware.

What’s the /QIBM share?

Well, it’s something that was released years ago but has since been deemed a security risk. In fact, it was iTech Solutions that reported it and requested it shut down. Since then, four PTFs have been released to do just that; one for each recent OS version:

    • 7.1 — SI76071
    • 7.2 — SI76072
    • 7.3 — SI76073
    • 7.4 — SI76074

Unfortunately, many IBM i customers may not be able to apply PTFs too often so that share may exist on your system. It’s a very simple process to turn it off. Essentially you have to go into IBM Navigator for i, find the file share for /QIBM and click “Stop Sharing.” That’s all the PTF will do as well.

Now, to leave that share out there would not be an ideal thing to do. If someone with *ALLOBJ special authority were to map that drive to their PC or laptop, then inadvertently kicked off some ransomware, then the /QIBM directory would be in big trouble. How much trouble?

Well, I happen to have an IBM i partition we use for such tests. I decided to redeploy some custom malware as I did in the article called The Real Effects of Malware on IBM i against the /QIBM directory on that same (albeit rebuilt) WLECYOTE server. I do this so you don’t have to wonder…you’ll know.

Malware directed at WLECYOTE ran for about 5 minutes, destroying much of /QIBM. What was the result?

Well, licensed programs in *ERROR status were:

  • 5770SS1 options *base, 3, 30, 31, 39, 43
  • 5770DG1
  • 5770JV1
  • 5770WDS options 33, 34, 35, 41, 43, 44, 45

 

  • Host servers mostly destroyed except Telnet
    • Good luck getting Access for Windows or ACS Telnet without Signon
    • DOS Telnet will work! Enjoy!
    • But to be fair, I think I had a Telnet server in use…so your mileage may vary depending on the time of day.
  • Objects missing for licensed programs 5770TC1, 5770TS1, 5770XW1, 5770NAE, 5770PT1, 5733SC1
    • That’s TCPIP, Transform Services, IBM Access Family, Network Authentication Enablement, Performance Tools, SSH
  • License information
  • Digital Certificate Manager…goodbye encryption, even if Telnet works
  • Navigator for i

That’s a good chunk of the system destroyed. It’s functional…sort of.

That’s why you need to update PTFs (to close that /QIBM share) and why you need to take ransomware attacks seriously.

More from this month:

Leave a Comment

Your email address will not be published.