Last week after upgrade to V12.1 and seeing the malware scanning features, I decided to enable scanning on a Linux job I had. I passed it the credentials (which are marked as redacted in the snippet below), ran the test, it connected fine and it ran backups for a few days. I then went in and disabled it so that now no Linux job is trying to do any guest interaction.
I was troubleshooting something else and noticed some odd behavior in my bash history. I went and checked and I can see this in all the Linux VMs from the job I had enabled credentials scanning with. They seem to keep repeating even though scanning is disabled. Is this a normal part of Veeam or is this some IOC I need to contact my security team about? I am quite concerned. A case can certainly be opened if you like, I just want to get the dev's opinion first. Here is an example of what I see when I run history (Please note I just enabled timestamps in history that is why they all are stamped on the same date). If this keeps happening I should be able to capture the exact time.
Code: Select all
110 2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo afaeec54-209a-4022-8cc1-cfe816898d75
111 2024-01-08 12:12:20 echo Execute SU command begin: && export LANG=en_EN.UTF-8 && su root -c "echo Start command:; /tmp/.sudo_bootstrapca2cb5e9-f13b-44cf-9fba-318b7b2a62ba.sh -a redacted;echo End command:" && echo Execute SU command end:
112 2024-01-08 12:12:20 stty -echo
113 2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo ea2e75a4-adf8-47a3-b992-fb902dd4d6e6
114 2024-01-08 12:12:20 unalias -a; echo $?; echo 360478ff-e189-4078-975f-0ac5c866a37f
115 2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT whoami; echo $?; echo 6a745bbf-a119-46b2-b792-d8d789b0ab01
116 2024-01-08 12:12:20 stty -echo
117 2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 590bd091-95df-4cd9-9a31-3f9660ef48c9
118 2024-01-08 12:12:20 echo Execute SU command begin: && export LANG=en_EN.UTF-8 && su root -c "echo Start command:; /tmp/.sudo_bootstrapca2cb5e9-f13b-44cf-9fba-318b7b2a62ba.sh -a redacted;echo End command:" && echo Execute SU command end:
119 2024-01-08 12:12:20 stty -echo
120 2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 20ea5a5b-003d-4659-bb5d-cda6d9923054
121 2024-01-08 12:12:20 unalias -a; echo $?; echo f81c8387-7869-4c32-9788-615975d8cdee
122 2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT id -au; echo $?; echo 80f22a95-0fef-422d-a6ee-c5da7aa43638
123 2024-01-08 12:12:20 stty -echo
124 2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo ca73c973-f468-41cd-a415-97710da845b1
125 2024-01-08 12:12:20 unalias -a; echo $?; echo 1622c120-fa69-4b3a-be49-270ef482a4b6
126 2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT tar --version; echo $?; echo 4deec6f6-881f-4ba8-bf28-3c3c9f8db814
127 2024-01-08 12:12:20 stty -echo
128 2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo f075c12b-27f0-40bb-ac4a-c14301949a2d
129 2024-01-08 12:12:20 unalias -a; echo $?; echo b1432964-34fe-4fda-81b1-3d759d6035b8
130 2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT gzip -V; echo $?; echo 938d5707-4d09-447e-a258-ad9fafe30a19