Educause Security Discussion mailing list archives
Re: Veritas Backup Exec Vulnerability
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Tue, 18 Jan 2005 09:50:26 -0600
These sigs won't help with finding vuln Veritas hosts, most have likely been found by the external scanners, but should help with identifying those that have been compromised or those that are being poked at: alert tcp $EXTERNAL_NET any -> $HOME_NET 6101:6110 (flow:established,to_server; content:"|02 00 32 00 90 90 90 90 31|"; content:"|31 2E 31 2E 31 2E 31 2E 31|"; distance:110; flowbits:set, bkupexec_overflow; tag:session,20,packets; msg:"Veritas BackupExec Buffer Overflow Attempt"; classtype:misc-attack;) You should also see Veritas compromised systems trigger the following, although this will also catch other nasty things: alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET any (flow:established,to_server; content:"GETSTATUSINFO"; nocase:; tag:session,20,packets; msg:"Robots -- begin world domination!"; classtype:trojan activity;) Fight on humanoids, fight on.. ~cam. Cam Beasley, CISSP CIFI Sr. InfoSec Analyst Information Security Office University of Texas at Austin cam () austin utexas edu ---------------------------- Report Abuse/Misuse to: - abuse () utexas edu - 512.475.9242 ----------------------------
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Taylor Sent: 2005, January 18, Tuesday 07:03 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Veritas Backup Exec Vulnerability I don't know of anyway to 'scan for the vulnerability'. As Jordan stated you can run an NMAP scan but as far as I can tell it won't actually tell you what version of Veritas Backup Exec is running on the port. I contacted ISS about a module that would detect Veritas vulnerabilities and they said: <from ISS> We have released product coverage today. Please refer to documentation for RealSecure(r) Network Sensor, Proventia A(tm), Proventia G(tm) and Proventia M(tm) Appliances, XPUs 23.2 and 1.39, and reference SecChkID 18506 Veritas_BackupExec_BO. We are currently investigating an Internet Scanner check and hope to release one in the near future </from ISS> So, maybe ISS Internet Scanner will have something soon. At 04:46 PM 1/13/2005, Samuel Petreski wrote:Does anyone know of a proactive way to scan for this vulnerability? Thanks. --Samuel Samuel Petreski Network Systems Analyst Computing and Network Services Kansas State University (785) 532-4943 petreski () ksu edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eddie H. Hunter Sent: Thursday, January 13, 2005 12:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Veritas Backup Exec Vulnerability Dear All, We are experiencing some incidents with the Backup Exec exploit on Novell Netware Servers and were interested if others wereseeing this as well.Please drop me a note if you are having the same experience. Thank You, Eddie H. Hunter UGA Office of Information Security UGA-CIRT ehunter () uga edu 706-542-7949 "Maintaining the Constant Vigil of Integrity" This message and any attachment is intended only for the use of the addressee and may contain information that is PRIVILEGED. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited.If you havereceived this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank You. Security Warning: Please note that this e-mail has beencreated in theknowledge that Internet e-mail is not a 100% securecommunications medium.We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although we have taken steps to ensure that this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they areactuallyvirus free. ********** Participation and subscription information for this EDUCAUSEDiscussionGroup discussion list can be found athttp://www.educause.edu/groups/.********** Participation and subscription information for this EDUCAUSEDiscussionGroup discussion list can be found athttp://www.educause.edu/groups/. ============================================== David Taylor // Sr. Information Security Specialist Information Systems & Computing // Information Security University of Pennsylvania // Philadelphia PA USA LTR () ISC UPENN EDU (215) 898-1236 http://www.upenn.edu/computing/security/ ============================================== SANS - The Twenty Most Critical Internet Security Vulnerabilities http://www.sans.org/top20/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Veritas Backup Exec Vulnerability Eddie H. Hunter (Jan 13)
- <Possible follow-ups>
- Re: Veritas Backup Exec Vulnerability Jim Bollinger (Jan 13)
- Re: Veritas Backup Exec Vulnerability Hedrick, Gregory W (Jan 13)
- Re: Veritas Backup Exec Vulnerability H. Morrow Long (Jan 13)
- Re: Veritas Backup Exec Vulnerability Doug Pearson (Jan 13)
- Re: Veritas Backup Exec Vulnerability John Kowalczyk (Jan 13)
- Re: Veritas Backup Exec Vulnerability Brian Eckman (Jan 13)
- Re: Veritas Backup Exec Vulnerability Samuel Petreski (Jan 13)
- Re: Veritas Backup Exec Vulnerability Jordan Wiens (Jan 13)
- Re: Veritas Backup Exec Vulnerability David Taylor (Jan 18)
- Re: Veritas Backup Exec Vulnerability Cam Beasley, ISO (Jan 18)
- Re: Veritas Backup Exec Vulnerability David Taylor (Jan 18)