To briefly summarize. Veritas Netbackup generates these files as part of it's normal operation, so it is no cause for alarm. However, I was they would pick a different name for generating the files. The long version of the answer is listed below. Thanks so much for everyone's quick responses. Toby Rider Senior Unix Administrator Frontera Corporation (http://www.fronteracorp.com) Los Angeles, CA. 90045 On Tue, 24 Jul 2001, Adrian Stovall wrote: > Found this after doing a little digging and sending an e-mail to the guy who > posted it. Looks like a Netbackup thing. > > HTH > > >Delivered-To: tru64-unix-managers@sws1.ctd.ornl.gov > >Sender: tru64-unix-managers-owner@ornl.gov > >Followup-To: poster > >X-Sender: cknorr@hopsdm.hops.com > >X-Mailer: QUALCOMM Windows Eudora Version 5.0 > >Date: Wed, 20 Jun 2001 11:23:08 -0400 > >To: tru64-unix-managers@sws1.ctd.ornl.gov > >From: cknorr <cknorr@hops.com> > >Subject: SUMMARY: .SeCuRiTy files in /? > > > >This probably will set the record for the longest delay in posting a > summary. > > > >Original Question, posted on 2/8/2000: > > > >Just noticed that we have about a gazillion files in / called: > > > >.SeCuRiTy.###### (where ###### is a number) > > > >Anyone have any idea what these bad boys are??? > > > > > >Analysis: > > > >The responses were immediate and alarming - almost everyone thought my > >system had been hacked. Not what I was hoping for. I battened down the > >hatches by deleting these files, installing the latest patch kit, and > >posting a guard on deck to watch out for intruders. (i.e. I started > >monitoring the system like crazy ....) The files never reappeared, > >although I did get any number of e-mails from people who saw my original > >question and wanted to know what was up, because these same files were > >appearing on their system! > > > > > >Answer: > > > >The big breakthrough came on 4/30/2001 from Ramon Alonso, who sent me the > >following: > > > >I discovered that Netbackup is the culprit. Check out the messages... > >06:34:28 (1417.001) /E/t1.iso > >06:34:28 (1417.001) Changed /E/t1.iso to /restore/E/t1.iso > >06:34:28 (1417.001) Unknown file type 'L' for .SeCuRiTy.29287, extracted > >as normal file > > > >We logged a call to Veritas and they pleaded total ignorance! We > >persisted, and the smoking gun finally arrived just yesterday, via an > >e-mail from one of their support engineers: > > > >Didn't find anything in our knowledge base and have never heard of this. > >Don't have a digital machine that I can test this out on right now either. > >So, I went through the code and found that the .SeCuRiTy.%d file is created > >by Netbackup. here is the comment before the code. > > > >/* Use the current header record to write out an LF_SECURE_EPIX record */ > >/* before the real file header. We will use this to save the */ > >/* security information so that it can be set when the actual file */ > >/* data is read when untaring. */ > > > >This file can be ignored and/or deleted. > > > >Thanks, > > > >{Veritas Support Engineer Name Withheld} > >-=-=-=-=-=-= > >We have made a strong recommendation that they consider this a bug, due to > >the poor naming of this file that strongly implies it's of hacker-origin. > >Those of you that use Netbackup may want to make a similar recommendation, > >especially if you are one of the customers that's a bit higher up the food > >chain than we are. > > > >regards, > > > >Chris > > > > > > > > > > > > > -----Original Message----- > From: Toby Rider [mailto:tarider@blackmill.net] > Sent: Tuesday, July 24, 2001 12:55 PM > To: focus-sun@securityfocus.com > Cc: sunmanagers@sunmanagers.org > Subject: files named: /.SeCuRiTy. on Solaris server > > > Hello all, > > I noticed that in the root directory of one of my Solaris 7 > Sparc servers I have about a hundred files named: .SeCuRiTy.<number> in > the root directory. > They are all grouped in two days. They are all owned by daemon, > and all have 600 permissions. > This machine is not open to direct access from the > internet, it is > a NIS slave server and runs Veritas Netbackup Datacenter, and has the > latest recommended patch cluster from Sun. > Obviously I am curious about these files, but I can't find any > info. on the web about this being a possible compromise. > Does anyone know if this is the result of a compromise > and where I > can get info. on this possible exploit? Thanks! > > > Toby A. Rider > > > > > > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers >Received on Tue Jul 24 20:03:02 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:25:00 EDT