ITNS ADVISORY ITNS-2005-011201 Veritas BackupExec Vulnerability, January 12, 2005
ITNS ADVISORY ITNS-2005-011201 Veritas BackupExec Vulnerability
Original release date: 1/12/2005
Last revised: 1/12/2005
Source: Purdue IT Security and Policy
URL: http://www.itap.purdue.edu/security/
CONTENTS
-------------------
1. SYSTEMS AFFECTED
2. OVERVIEW
3. DETAILED DESCRIPTION
4. IMPACT AND ACTIONS
5. SOLUTION
6. FURTHER INFORMATION
7. IT SECURITY AND POLICY CONTACT INFORMATION
SYSTEMS AFFECTED
--------------------
Systems running Veritas Backup Exec v.9.1.4691 Service Pack 1
OVERVIEW
--------------------
A Purdue system has been targeted by an exploit involving a buffer overflow in Veritas Backup Exec's Agent Browser component. This overflow was used to attempt to compromise the system using tools common to recent HackerDefender exploits.
DETAILED DESCRIPTION
-----------------------
Files dropped included:
Filename Description
------------- ----------------
service.exe ServU-Daemon
pskill.exe RemAdm-PSKill
JAVAC.EXE BackDoor-AKT
diskinfo.exe Tool-DiskInfo
clearlogs.exe Clearlogs
spoolss.exe ServU-Daemon
svc.exe HideOut
These files have often been accompanied by HackerDefender in previous system compromises on campus.
IMPACT AND ACTIONS
---------------------
Users of Veritas Backup Exec should manually check the patch level of their installation. Users of affected versions,
or with un-patched installations should immediately patch their systems. A virus scan is also recommended.
Users of firewalls should prevent IP ranges that do not need access to their systems from accesssing those systems using appropriate rulesets.
Systems administrators currently running Veritas Backup Exec version 9.1.4691 should scan their system for possible compromises using the metholology described at:
http://mother.itsp.purdue.edu/~wirges/resources/internal/hacker_defender/rootkit%20analysis%202.txt
SOLUTION
--------------------
A hotfix for Veritas Backup Exec is available at: http://support.veritas.com/docs/273420.
This hotfix may not show when using Veritas' automatic update utility.
Users who believe their systems are compromised are advised to reinstall the affected system if at all possible. All passwords on the system should be presumed to be compromised in the event of a Hacker Defender compromise. Systems accessible using passwords on compromised systems should be checked for Hacker Defender compromises using the tools described at:
http://mother.itsp.purdue.edu/~wirges/resources/internal/hacker_defender/
In addition, McAfee VirusScan 8.x has proven useful in detecting and removing instances of this infection.
FURTHER INFORMATION
--------------------
ITNS Hacker Defender information website http://mother.itsp.purdue.edu/~wirges/resources/internal/hacker_defender/
Veritas Hotfix
http://support.veritas.com/docs/273420
SecurityFocus exploit description http://www.securityfocus.com/bid/11974/exploit/
If you need the McAfee extra.dats for this compromise, please send email to itap-securityhelp@purdue.edu
IT SECURITY AND POLICY CONTACT INFORMATION
------------------------------------------
Purdue University IT Security and Policy can be contacted at:
itap-securityhelp@purdue.edu
Abuse incidents can be reported to: abuse@purdue.edu
If you believe that a crime has been committed, please contact your local police department.