Checking the FortiGate OS Linux file system

bigkeoni64 · ‎12-13-2022

Hello

I am trying to determine if a customer of mine has been infected by the latest vulnerability. How do you access the Linux file system to check if the files are present?

Thank you

FredPaul · ‎12-13-2022

Hi,

Run these commands to look for the files:

fnsysctl ls -la /data/lib/libips.bak
fnsysctl ls -la /data/lib/libgif.so
fnsysctl ls -la /data/lib/libiptcp.so
fnsysctl ls -la /data/lib/libipudp.so
fnsysctl ls -la /data/lib/libjepg.so
fnsysctl ls -la /var/.sslvpnconfigbk
fnsysctl ls -la /data/etc/wxd.conf
fnsysctl ls -la /flash

-Fredrik

View solution in original post

FredPaul · ‎12-13-2022

Hi,

Run these commands to look for the files:

fnsysctl ls -la /data/lib/libips.bak
fnsysctl ls -la /data/lib/libgif.so
fnsysctl ls -la /data/lib/libiptcp.so
fnsysctl ls -la /data/lib/libipudp.so
fnsysctl ls -la /data/lib/libjepg.so
fnsysctl ls -la /var/.sslvpnconfigbk
fnsysctl ls -la /data/etc/wxd.conf
fnsysctl ls -la /flash

-Fredrik

bigkeoni64 · ‎12-13-2022

I see only these 2 so we should be good to g - thank you.

Is there a place I can find more hidden commands like the "fnsysctl"?

bigkeoni64 · ‎12-13-2022

FredPaul · ‎12-14-2022

Seeing any of these files is an indication of compromise, so you should take appropriate action.

-Fredrik

bigkeoni64 · ‎12-13-2022

By the way, does this take into account the standby FortiGate as well in an HA pair or multiple HA devices for that matter?

funkylicious · ‎12-14-2022

No, you would need to connect to each unit.

execute ha manage <ID> <user>

or if you are using VDOMs from global : config global > execute ha manage <ID> <user>

"jack of all trades, master of none"

Checking the FortiGate OS Linux file system

Nominate a Forum Post for Knowledge Article Creation