Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bigkeoni64
Contributor

Checking the FortiGate OS Linux file system

Hello

 

I am trying to determine if a customer of mine has been infected by the latest vulnerability. How do you access the Linux file system to check if the files are present?

bigkeoni64_0-1670988850580.png

 

Thank you

1 Solution
FredPaul
New Contributor III

 

Hi,

 

Run these commands to look for the files:

fnsysctl ls -la /data/lib/libips.bak
fnsysctl ls -la /data/lib/libgif.so
fnsysctl ls -la /data/lib/libiptcp.so
fnsysctl ls -la /data/lib/libipudp.so
fnsysctl ls -la /data/lib/libjepg.so
fnsysctl ls -la /var/.sslvpnconfigbk
fnsysctl ls -la /data/etc/wxd.conf
fnsysctl ls -la /flash
-Fredrik

View solution in original post

-Fredrik
6 REPLIES 6
FredPaul
New Contributor III

 

Hi,

 

Run these commands to look for the files:

fnsysctl ls -la /data/lib/libips.bak
fnsysctl ls -la /data/lib/libgif.so
fnsysctl ls -la /data/lib/libiptcp.so
fnsysctl ls -la /data/lib/libipudp.so
fnsysctl ls -la /data/lib/libjepg.so
fnsysctl ls -la /var/.sslvpnconfigbk
fnsysctl ls -la /data/etc/wxd.conf
fnsysctl ls -la /flash
-Fredrik
-Fredrik
bigkeoni64

I see only these 2 so we should be good to g - thank you.

Is there a place I can find more hidden commands like the "fnsysctl"?

bigkeoni64

bigkeoni64_0-1670992852745.png

 

FredPaul
New Contributor III

Seeing any of these files is an indication of compromise, so you should take appropriate action.

-Fredrik
-Fredrik
bigkeoni64

By the way, does this take into account the standby FortiGate as well in an HA pair or multiple HA devices for that matter?

funkylicious

No, you would need to connect to each unit.

 

execute ha manage <ID> <user>

or if you are using VDOMs from global : config global > execute ha manage <ID> <user>

geek
geek
Labels
Top Kudoed Authors