RE: Strange files found on Solaris8

From: Carpio, Brian (Brian_Carpio_at_csgsystems.com)
Date: 07/09/03

  • Next message: Carpio, Brian: "RE: Strange files found on Solaris8"
    Date: Wed, 9 Jul 2003 14:43:53 -0600
    To: <salgak@speakeasy.net>, "Jiang Peng" <secplatform@hotmail.com>, <security-basics@securityfocus.com>
    
    

    They are from NetBackup I think just the master server E-Mail veritas for more info.

    -----Original Message-----
    From: salgak@speakeasy.net [mailto:salgak@speakeasy.net]
    Sent: Wednesday, July 09, 2003 12:22 PM
    To: Jiang Peng; security-basics@securityfocus.com
    Subject: Re: Strange files found on Solaris8

    > -----Original Message-----
    > From: Jiang Peng [mailto:secplatform@hotmail.com]
    > Sent: Wednesday, July 9, 2003 07:27 AM
    > To: security-basics@securityfocus.com
    > Subject: Strange files found on Solaris8
    >
    > Hi All,
    >
    > I just found some strange files under Root directory of my Solaris 8.
    >
    > the files are named as: .SeCuRiTy.0, .SeCuRiTy.1, ..... until .SeCuRiTy.68.
    > Following are part of the output of command: ls -al
    >
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.0
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.1
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.10
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.11
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.12
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.13
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.14
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.15
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.16
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.17
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.18
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.19
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.2
    > -rwx------ 1 daemon other 128 Aug 20 2002 .SeCuRiTy.20
    > ..............
    > Does anyone know what these files for? I googled the internet, but found no
    > clues.

    Oddly, I just did a fresh install of Solaris 8 on a box today. . . mind you, my CD set is dated 1999, but no files like you speak of. The Upper/Lower case alternation makes one suspect you've been hacked. And assuming your box has been up and running for a year or more, that the hack was almost a year ago.

    First, look at /etc/shadow, and look for accounts you don't recognize. That's a certain sign of a hack. . . if it's not there, it's not proof you haven't been hacked, but if it is. . .

    I'd back up, AND CLOSELY EXAMINE your config files, wipe the box, and start from scratch. And lock it down, first. Also, use a recent edition of BIND, anything prior to 8.3.4 (?) has a vulnerability.

    Incidentally, for any internet box, I always start with a Core install, and lock it down from there, so there are no development tools to do a make on BIND for you. As a result, I recommend http://www.sunfreeware.com/, which has a pre-compiled BIND 9x binary package.

    > This server is runnin an internet DNS server.
    > What I am worrying about is if someone broke into my system.
    > Can anyone point me a right way to analysis these files? what kind of log
    > files I need pay attention to?

    Based on the dates of the files listed, I'd guess that if it WAS a hack, it happened last year, and thus has long passed into /dev/null as far as logs are considered. . .

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------


  • Next message: Carpio, Brian: "RE: Strange files found on Solaris8"

    Relevant Pages

    • RE: Strange files found on Solaris8
      ... I discovered that Netbackup is the culprit. ... Strange files found on Solaris8 ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • Re: Strange files found on Solaris8
      ... Strange files found on Solaris8 ... > I just found some strange files under Root directory of my Solaris 8. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: Strange files found on Solaris8
      ... Jiang: Subject: Strange files found on Solaris8 ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • Re: Strange files found on Solaris8
      ... Jiang: Subject: Strange files found on Solaris8 ... I just found some strange files under Root directory of my Solaris 8. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)