Re: files named: /.SeCuRiTy. on Solaris server

From: Mike D. Kail (mdkail@verance.com)
Date: 07/24/01


Message-Id: <200107241847.LAA09146@marathon.verancecorp.com>
To: Toby Rider <tarider@blackmill.net>
Subject: Re: files named: /.SeCuRiTy. on Solaris server 
Date: Tue, 24 Jul 2001 11:47:46 -0700
From: "Mike D. Kail" <mdkail@verance.com>

On Tue, 24 Jul 2001 10:55:20 PDT, Toby Rider wrote:
>
> I noticed that in the root directory of one of my Solaris 7
> Sparc servers I have about a hundred files named: .SeCuRiTy.<number> in
> the root directory.
> They are all grouped in two days. They are all owned by daemon,
> and all have 600 permissions.
> This machine is not open to direct access from the internet, it is
> a NIS slave server and runs Veritas Netbackup Datacenter, and has the
> latest recommended patch cluster from Sun.
> Obviously I am curious about these files, but I can't find any
> info. on the web about this being a possible compromise.
> Does anyone know if this is the result of a compromise and where I
> can get info. on this possible exploit? Thanks!

looks like veritas netbackup is the culprit

some-box:[/usr/openv/netbackup/bin]# strings bpbkar | grep SeCuRiTy
.SeCuRiTy.%d

/mdkail



Relevant Pages