Summary: files named: /.SeCuRiTy. on Solaris server

From: Toby Rider <tarider_at_blackmill.net>
Date: Tue Jul 24 2001 - 15:03:02 EDT
	To briefly summarize. Veritas Netbackup generates these
files as part of it's normal operation, so it is no cause for alarm.
However, I was they would pick a different name for generating the files.
	The long version of the answer is listed below. Thanks so much for
everyone's quick responses.


Toby Rider
Senior Unix Administrator
Frontera Corporation (http://www.fronteracorp.com)
Los Angeles, CA.
90045




On Tue, 24 Jul 2001, Adrian  Stovall wrote:

> Found this after doing a little digging and sending an e-mail to the guy who
> posted it.  Looks like a Netbackup thing.
> 
> HTH
> 
> >Delivered-To: tru64-unix-managers@sws1.ctd.ornl.gov
> >Sender: tru64-unix-managers-owner@ornl.gov
> >Followup-To: poster
> >X-Sender: cknorr@hopsdm.hops.com
> >X-Mailer: QUALCOMM Windows Eudora Version 5.0
> >Date: Wed, 20 Jun 2001 11:23:08 -0400
> >To: tru64-unix-managers@sws1.ctd.ornl.gov
> >From: cknorr <cknorr@hops.com>
> >Subject: SUMMARY: .SeCuRiTy files in /?
> >
> >This probably will set the record for the longest delay in posting a
> summary.
> >
> >Original Question, posted on 2/8/2000:
> >
> >Just noticed that we have about a gazillion files in / called:
> >
> >.SeCuRiTy.###### (where ###### is a number)
> >
> >Anyone have any idea what these bad boys are???
> >
> >
> >Analysis:
> >
> >The responses were immediate and alarming - almost everyone thought my 
> >system had been hacked. Not what I was hoping for. I battened down the 
> >hatches by deleting these files, installing the latest patch kit, and 
> >posting a guard on deck to watch out for intruders. (i.e. I started 
> >monitoring the system like crazy ....) The files never reappeared, 
> >although I did get any number of e-mails from people who saw my original 
> >question and wanted to know what was up, because these same files were 
> >appearing on their system!
> >
> >
> >Answer:
> >
> >The big breakthrough came on 4/30/2001 from Ramon Alonso, who sent me the 
> >following:
> >
> >I discovered that Netbackup is the culprit. Check out the messages...
> >06:34:28 (1417.001) /E/t1.iso
> >06:34:28 (1417.001) Changed /E/t1.iso to /restore/E/t1.iso
> >06:34:28 (1417.001) Unknown file type 'L' for .SeCuRiTy.29287, extracted 
> >as normal file
> >
> >We logged a call to Veritas and they pleaded total ignorance! We 
> >persisted, and the smoking gun finally arrived just yesterday, via an 
> >e-mail from one of their support engineers:
> >
> >Didn't find anything in our knowledge base and have never heard of this.
> >Don't have a digital machine that I can test this out on right now either.
> >So, I went through the code and found that the .SeCuRiTy.%d file is created
> >by Netbackup. here is the comment before the code.
> >
> >/* Use the current header record to write out an LF_SECURE_EPIX record */
> >/* before the real file header. We will use this to save the */
> >/* security information so that it can be set when the actual file */
> >/* data is read when untaring. */
> >
> >This file can be ignored and/or deleted.
> >
> >Thanks,
> >
> >{Veritas Support Engineer Name Withheld}
> >-=-=-=-=-=-=
> >We have made a strong recommendation that they consider this a bug, due to 
> >the poor naming of this file that strongly implies it's of hacker-origin. 
> >Those of you that use Netbackup may want to make a similar recommendation, 
> >especially if you are one of the customers that's a bit higher up the food 
> >chain than we are.
> >
> >regards,
> >
> >Chris
> >
> >
> >
> >
> >
> 
> 
> -----Original Message-----
> From: Toby Rider [mailto:tarider@blackmill.net]
> Sent: Tuesday, July 24, 2001 12:55 PM
> To: focus-sun@securityfocus.com
> Cc: sunmanagers@sunmanagers.org
> Subject: files named: /.SeCuRiTy. on Solaris server
> 
> 
> Hello all,
> 
> 	I noticed that in the root directory of one of my Solaris 7 
> Sparc servers I have about a hundred files named: .SeCuRiTy.<number> in
> the root directory. 
> 	They are all grouped in two days. They are all owned by daemon,
> and all have 600 permissions. 
> 	This machine is not open to direct access from the 
> internet, it is
> a NIS slave server and runs Veritas Netbackup Datacenter, and has the
> latest recommended patch cluster from Sun. 
> 	Obviously I am curious about these files, but I can't find any
> info. on the web about this being a possible compromise. 
> 	Does anyone know if this is the result of a compromise 
> and where I
> can get info. on this possible exploit? Thanks!
> 
> 
> Toby A. Rider 
> 
> 
> 
> 
> 
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
> 
Received on Tue Jul 24 20:03:02 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:25:00 EDT