Re: Veritas Backup Exec Vulnerability

["Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>]

These sigs won't help with finding vuln Veritas hosts, most 
have likely been found by the external scanners, but should
help with identifying those that have been compromised or
those that are being poked at:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6101:6110
(flow:established,to_server; content:"|02 00 32 00 90 90 90 90 31|";
content:"|31 2E 31 2E 31 2E 31 2E 31|"; distance:110; flowbits:set,
bkupexec_overflow; tag:session,20,packets; msg:"Veritas BackupExec
Buffer Overflow Attempt"; classtype:misc-attack;)

You should also see Veritas compromised systems trigger the 
following, although this will also catch other nasty things:

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET any
(flow:established,to_server; content:"GETSTATUSINFO"; nocase:;
tag:session,20,packets; msg:"Robots -- begin world domination!";
classtype:trojan activity;)

Fight on humanoids, fight on..

~cam.

Cam Beasley, CISSP CIFI
Sr. InfoSec Analyst
Information Security Office
University of Texas at Austin
cam () austin utexas edu
----------------------------
Report Abuse/Misuse to:
 - abuse () utexas edu
 - 512.475.9242 
----------------------------

> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Taylor
> Sent: 2005, January 18, Tuesday 07:03
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Veritas Backup Exec Vulnerability
>
> I don't know of anyway to 'scan for the vulnerability'.  As 
> Jordan stated you can run an NMAP scan but as far as I can 
> tell it won't actually tell you what version of Veritas 
> Backup Exec is running on the port.
>
> I contacted ISS about a module that would detect Veritas 
> vulnerabilities and they said:
>
> <from ISS>
> We have released product coverage today.  Please refer to 
> documentation for RealSecure(r) Network Sensor, Proventia 
> A(tm), Proventia G(tm) and Proventia
> M(tm) Appliances, XPUs 23.2 and 1.39, and reference SecChkID 
> 18506 Veritas_BackupExec_BO.
>
> We are currently investigating an Internet Scanner check and 
> hope to release one in the near future </from ISS>
>
> So, maybe ISS Internet Scanner will have something soon.
>
> At 04:46 PM 1/13/2005, Samuel Petreski wrote:
> > Does anyone know of a proactive way to scan for this vulnerability?
> >
> > Thanks.
> >
> > --Samuel
> >
> > Samuel Petreski
> > Network Systems Analyst
> > Computing and Network Services
> > Kansas State University
> > (785) 532-4943
> > petreski () ksu edu
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv 
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eddie H. Hunter
> > Sent: Thursday, January 13, 2005 12:55 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Veritas Backup Exec Vulnerability
> >
> > Dear All,
> >
> > We are experiencing some incidents with the Backup Exec exploit on 
> > Novell Netware Servers and were interested if others were 
> seeing this as well.
> > Please drop me a note if you are having the same experience.
> >
> > Thank You,
> >
> > Eddie H. Hunter
> > UGA Office of Information Security
> > UGA-CIRT
> > ehunter () uga edu
> > 706-542-7949
> >
> > "Maintaining the Constant Vigil of Integrity"
> >
> > This message and any attachment is intended only for the use of the 
> > addressee and may contain information that is PRIVILEGED. If you are 
> > not the intended recipient, you are hereby notified that any 
> > dissemination of this communication is strictly prohibited. 
> If you have 
> > received this communication in error, please erase all copies of the 
> > message and its attachments and notify us immediately.  Thank You.
> >
> > Security Warning: Please note that this e-mail has been 
> created in the 
> > knowledge that Internet e-mail is not a 100% secure 
> communications medium.
> > We advise that you understand and observe this lack of security when 
> > e-mailing us.
> >
> > Viruses: Although we have taken steps to ensure that this e-mail and 
> > attachments are free from any virus, we advise that in keeping with 
> > good computing practice the recipient should ensure they are 
> actually 
> > virus free.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE 
> Discussion 
> > Group discussion list can be found at 
> http://www.educause.edu/groups/.
> > **********
> > Participation and subscription information for this EDUCAUSE 
> Discussion 
> > Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
>
> ==============================================
> David Taylor            //      Sr. Information Security Specialist
> Information Systems & Computing  //          Information Security
> University of Pennsylvania      //         Philadelphia PA USA
> LTR () ISC UPENN EDU                       (215) 898-1236
> http://www.upenn.edu/computing/security/
> ==============================================
>
> SANS - The Twenty Most Critical Internet Security 
> Vulnerabilities http://www.sans.org/top20/
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at 
> http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.