RE: Strange files found on Solaris8

[Carpio, Brian]

>From Google!! 

------------------------

This probably will set the record for the longest delay in posting a summary.

Original Question, posted on 2/8/2000:

Just noticed that we have about a gazillion files in / called:

.SeCuRiTy.###### (where ###### is a number)

Anyone have any idea what these bad boys are???


Analysis:

The responses were immediate and alarming - almost everyone thought my 
system had been hacked. Not what I was hoping for. I battened down the 
hatches by deleting these files, installing the latest patch kit, and 
posting a guard on deck to watch out for intruders. (i.e. I started 
monitoring the system like crazy ....) The files never reappeared, although 
I did get any number of e-mails from people who saw my original question 
and wanted to know what was up, because these same files were appearing on 
their system!


Answer:

The big breakthrough came on 4/30/2001 from Ramon Alonso, who sent me the 
following:

I discovered that Netbackup is the culprit. Check out the messages...
06:34:28 (1417.001) /E/t1.iso
06:34:28 (1417.001) Changed /E/t1.iso to /restore/E/t1.iso
06:34:28 (1417.001) Unknown file type 'L' for .SeCuRiTy.29287, extracted as 
normal file

We logged a call to Veritas and they pleaded total ignorance! We persisted, 
and the smoking gun finally arrived just yesterday, via an e-mail from one 
of their support engineers:

Didn't find anything in our knowledge base and have never heard of this.
Don't have a digital machine that I can test this out on right now either.
So, I went through the code and found that the .SeCuRiTy.%d file is created
by Netbackup. here is the comment before the code.

/* Use the current header record to write out an LF_SECURE_EPIX record */
/* before the real file header. We will use this to save the */
/* security information so that it can be set when the actual file */
/* data is read when untaring. */

This file can be ignored and/or deleted.

Thanks,

{Veritas Support Engineer Name Withheld}
-=-=-=-=-=-=
We have made a strong recommendation that they consider this a bug, due to 
the poor naming of this file that strongly implies it's of hacker-origin. 
Those of you that use Netbackup may want to make a similar recommendation, 
especially if you are one of the customers that's a bit higher up the food 
chain than we are.

regards,

Chris



--------------------------------------------------




-----Original Message-----
From: Carpio, Brian 
Sent: Wednesday, July 09, 2003 2:44 PM
To: '[EMAIL PROTECTED]'; Jiang Peng;
[EMAIL PROTECTED]
Subject: RE: Strange files found on Solaris8


They are from NetBackup I think just the master server E-Mail veritas for more info. 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 09, 2003 12:22 PM
To: Jiang Peng; [EMAIL PROTECTED]
Subject: Re: Strange files found on Solaris8


> -----Original Message-----
> From: Jiang Peng [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 9, 2003 07:27 AM
> To: [EMAIL PROTECTED]
> Subject: Strange files found on Solaris8
> 
> Hi All,
> 
> I just found some strange files under Root directory of my Solaris 8.
> 
> the files are named as: .SeCuRiTy.0, .SeCuRiTy.1, ..... until .SeCuRiTy.68.
> Following are part of the output of command: ls -al
> 
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.0
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.1
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.10
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.11
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.12
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.13
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.14
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.15
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.16
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.17
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.18
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.19
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.2
> -rwx------   1 daemon   other        128 Aug 20  2002 .SeCuRiTy.20
> ..............
> Does anyone know what these files for? I googled the internet, but found no
> clues.

Oddly, I just did a fresh install of Solaris 8 on a box today. . . mind you, my CD set 
is dated 1999, but no files like you speak of. The Upper/Lower case alternation makes 
one suspect you've been hacked.  And assuming your box has been up and running for a 
year or more, that the hack was almost a year ago.

First, look at /etc/shadow, and look for accounts you don't recognize.  That's a 
certain sign of a hack. . .  if it's not there, it's not proof you haven't been 
hacked, but if it is. . .

I'd back up, AND CLOSELY EXAMINE your config files, wipe the box, and start from 
scratch.  And lock it down, first.  Also, use a recent edition of BIND, anything prior 
to 8.3.4 (?) has a vulnerability.  

Incidentally, for any internet box, I always start with a Core install, and lock it 
down from there, so there are no development tools to do a make on BIND for you.  As a 
result, I recommend http://www.sunfreeware.com/, which has a pre-compiled BIND 9x 
binary package.

> This server is runnin an internet DNS server.
> What I am worrying about is if someone broke into my system.
> Can anyone point me a right way to analysis these files? what kind of log
> files I need pay attention to?

Based on the dates of the files listed, I'd guess that if it WAS a hack, it happened 
last year, and thus has long passed into /dev/null as far as logs are considered. . .



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------