This probably will set the record for the longest delay in posting a summary.
Original Question, posted on 2/8/2000:
Just noticed that we have about a gazillion files in / called:
.SeCuRiTy.###### (where ###### is a number)
Anyone have any idea what these bad boys are???
Analysis:
The responses were immediate and alarming - almost everyone thought my
system had been hacked. Not what I was hoping for. I battened down the
hatches by deleting these files, installing the latest patch kit, and
posting a guard on deck to watch out for intruders. (i.e. I started
monitoring the system like crazy ....) The files never reappeared, although
I did get any number of e-mails from people who saw my original question
and wanted to know what was up, because these same files were appearing on
their system!
Answer:
The big breakthrough came on 4/30/2001 from Ramon Alonso, who sent me the
following:
I discovered that Netbackup is the culprit. Check out the messages...
06:34:28 (1417.001) /E/t1.iso
06:34:28 (1417.001) Changed /E/t1.iso to /restore/E/t1.iso
06:34:28 (1417.001) Unknown file type 'L' for .SeCuRiTy.29287, extracted as
normal file
We logged a call to Veritas and they pleaded total ignorance! We persisted,
and the smoking gun finally arrived just yesterday, via an e-mail from one
of their support engineers:
Didn't find anything in our knowledge base and have never heard of this.
Don't have a digital machine that I can test this out on right now either.
So, I went through the code and found that the .SeCuRiTy.%d file is created
by Netbackup. here is the comment before the code.
/* Use the current header record to write out an LF_SECURE_EPIX record */
/* before the real file header. We will use this to save the */
/* security information so that it can be set when the actual file */
/* data is read when untaring. */
This file can be ignored and/or deleted.
Thanks,
{Veritas Support Engineer Name Withheld}
-=-=-=-=-=-=
We have made a strong recommendation that they consider this a bug, due to
the poor naming of this file that strongly implies it's of hacker-origin.
Those of you that use Netbackup may want to make a similar recommendation,
especially if you are one of the customers that's a bit higher up the food
chain than we are.
regards,
Chris
Received on Wed Jun 20 2001 - 15:25:38 NZST