Concerning bash history.

pmichelli · Post by **pmichelli** » Jan 08, 2024 5:19 pm this post

Hello Dev Team,

Last week after upgrade to V12.1 and seeing the malware scanning features, I decided to enable scanning on a Linux job I had. I passed it the credentials (which are marked as redacted in the snippet below), ran the test, it connected fine and it ran backups for a few days. I then went in and disabled it so that now no Linux job is trying to do any guest interaction.

I was troubleshooting something else and noticed some odd behavior in my bash history. I went and checked and I can see this in all the Linux VMs from the job I had enabled credentials scanning with. They seem to keep repeating even though scanning is disabled. Is this a normal part of Veeam or is this some IOC I need to contact my security team about? I am quite concerned. A case can certainly be opened if you like, I just want to get the dev's opinion first. Here is an example of what I see when I run history (Please note I just enabled timestamps in history that is why they all are stamped on the same date). If this keeps happening I should be able to capture the exact time.

Code: Select all

110  2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo afaeec54-209a-4022-8cc1-cfe816898d75
  111  2024-01-08 12:12:20 echo Execute SU command begin: && export LANG=en_EN.UTF-8 && su root -c "echo Start command:; /tmp/.sudo_bootstrapca2cb5e9-f13b-44cf-9fba-318b7b2a62ba.sh -a redacted;echo End command:" && echo Execute SU command end:
  112  2024-01-08 12:12:20 stty -echo
  113  2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo ea2e75a4-adf8-47a3-b992-fb902dd4d6e6
  114  2024-01-08 12:12:20 unalias -a; echo $?; echo 360478ff-e189-4078-975f-0ac5c866a37f
  115  2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT whoami; echo $?; echo 6a745bbf-a119-46b2-b792-d8d789b0ab01
  116  2024-01-08 12:12:20 stty -echo
  117  2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 590bd091-95df-4cd9-9a31-3f9660ef48c9
  118  2024-01-08 12:12:20 echo Execute SU command begin: && export LANG=en_EN.UTF-8 && su root -c "echo Start command:; /tmp/.sudo_bootstrapca2cb5e9-f13b-44cf-9fba-318b7b2a62ba.sh -a redacted;echo End command:" && echo Execute SU command end:
  119  2024-01-08 12:12:20 stty -echo
  120  2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 20ea5a5b-003d-4659-bb5d-cda6d9923054
  121  2024-01-08 12:12:20 unalias -a; echo $?; echo f81c8387-7869-4c32-9788-615975d8cdee
  122  2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT id -au; echo $?; echo 80f22a95-0fef-422d-a6ee-c5da7aa43638
  123  2024-01-08 12:12:20 stty -echo
  124  2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo ca73c973-f468-41cd-a415-97710da845b1
  125  2024-01-08 12:12:20 unalias -a; echo $?; echo 1622c120-fa69-4b3a-be49-270ef482a4b6
  126  2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT tar --version; echo $?; echo 4deec6f6-881f-4ba8-bf28-3c3c9f8db814
  127  2024-01-08 12:12:20 stty -echo
  128  2024-01-08 12:12:20 export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo f075c12b-27f0-40bb-ac4a-c14301949a2d
  129  2024-01-08 12:12:20 unalias -a; echo $?; echo b1432964-34fe-4fda-81b1-3d759d6035b8
  130  2024-01-08 12:12:20 sudo -S -k -p VEEAM_PWD_PROMPT gzip -V; echo $?; echo 938d5707-4d09-447e-a258-ad9fafe30a19

pmichelli · Post by **pmichelli** » Jan 08, 2024 5:58 pm this post

I see this from the SIEM, source user is Veeam (coming from the backup server). Veeam is not the user it was using for ssh credentials. That is another account. Veeam account name is used to map to vCenter

Code: Select all

2024-01-03 13:23		Generic_Unix_Successful_SSH_Login	Successful SSH logon
2024-01-03 13:23	Generic_Unix_systemd-logind_New_Session	Generic_Unix_systemd-logind_New_Session
2024-01-03 13:23	Generic_Unix_Successful_SSH_Start	SSH session started
2024-01-03 13:23	Generic_Unix_Successful_Switch_User	Successful privilege escalation
2024-01-03 13:23	Generic_Unix_Successful_SUDO_Exec	Successful Privileged command execution
2024-01-03 13:23	Generic_Unix_Successful_Switch_User	Successful privilege escalation
2024-01-03 13:23	Generic_Unix_Successful_SUDO_Exec	Successful Privileged command execution
2024-01-03 13:23	Generic_Unix_Successful_Switch_User	Successful privilege escalation
2024-01-03 13:23	Generic_Unix_Successful_Switch_User	Successful privilege escalation
2024-01-03 13:23	Generic_Unix_Successful_SUDO_Exec	Successful Privileged command execution

Jan 08, 2024 10:30 pm

pmichelli wrote: ↑Jan 08, 2024 5:19 pmA case can certainly be opened if you like, I just want to get the dev's opinion first.

Hello! Actually, these forums are manned by the Product Management team. Devs do not actively follow or participate here, so you do need to open a support case if you want to get their opinion. Although needless to say, these mighty Gods of Veeam will only be "bothered" if all 3 Tiers of our Customer Support are unable to answer your question first

and I must say there are some really strong environmental researchers at T3 in particular. Thank you!

pmichelli · Jan 09, 2024 6:35 pm

I have sorted this out. It was in fact Veeam doing this when I had enabled scanning and passed it some credentials to use. It kept doing it even after I disabled this feature for a few days and that was what concerned me about what I was seeing. A reboot of the Veeam server has fixed this and this morning there were no new entries in the bash history

Jan 12, 2024 1:18 pm

Just to close on this, our Security QA team was not able to confirm neither issue:
1. They don't see credentials being logged in the bash history, only username is logged.
2. Disabling the scanning feature stops this immediately, no new logs are generated.

R&D Forums

Concerning bash history.

Re: Concerning bash history.

Re: Concerning bash history.

Re: Concerning bash history.

Re: Concerning bash history.

Who is online