Veeam Hardened REPO Unknown commands

[unsichtbarre]

Howdy,

I was looking at a customers Veeam Hardened repo today and I was wondering if the following commands in history were normal:

Code: Select all

162  stty -echo
  163  export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 81433b4e-81d6-4035-9ec3-f1ac6000272e
  164  whoami; echo $?; echo 971ef6f2-0dce-483e-a1f8-e25be972e385
  165  unalias -a; echo $?; echo 93c7f9e9-b698-4409-bf65-ae04acbd7d81
  166  stty -echo
  167  export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 90d3539a-fca4-471f-b841-f6592a27c1aa
  168  whoami; echo $?; echo 2d4ea052-9c52-42c5-bf52-eea3d868453b
  169  unalias -a; echo $?; echo 216440c7-8169-432c-a623-6257a80bd8fb
  170  whoami; echo $?; echo 5662148b-0c77-4067-a147-2dda3e4b87f0
  171  uname -r; echo $?; echo 7e9cabd3-b28f-42f5-b8ef-b1cbb43491e3
  172  stty -echo
  173  export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo e03690de-2dd5-44ef-82da-ef98cef26205
  174  whoami; echo $?; echo d75c7a9d-02b7-46be-a078-62494efa2d74
  175  unalias -a; echo $?; echo 057df469-30ef-416e-9126-49852ee5f7c5
  176  stty -echo
  177  export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 8b80d946-8302-4070-a15d-9b13a79ca798
  178  whoami; echo $?; echo 13f7efc6-1ff4-4e90-940e-411ec31414e6
  179  unalias -a; echo $?; echo 9291d37d-9903-412f-9f77-17dcf91932f7
  180  whoami; echo $?; echo 06a18a0a-3cfb-4355-824e-33ac9f09ac10
  181  uname --machine; echo $?; echo b27a5fd5-770d-41ae-b41f-bf97879eb508
  182  vmware -v; echo $?; echo 80aa3923-3997-4877-b515-680d3d7bbbe8
  183  ls /etc/exagrid-veeam-version; echo $?; echo bb7d93b3-3a45-4e1c-b65b-1a0cc24c4a70
  184  ls /tmp/Veeam_enabled; echo $?; echo c5ad82be-46fe-4540-a6e7-bbb06f1084d4
  185  ls /tmp/Veeam_enabled_Infinidat; echo $?; echo fbdd678c-0394-45f9-ac0d-3b8009c1c275
  186  ls /tmp/Veeam_enabled_Fujitsu; echo $?; echo 3733783c-dfd6-4761-9704-e329e9b26d3b
  187  ls /tmp/Veeam_enabled*; echo $?; echo 276c8127-eb89-4854-a567-a8988e245430
  188  ls /opt/veeam/transport/veeamtransport; echo $?; echo 63396ffe-4b41-4332-a937-ddac9d491d99
  189  mkdir --parents /opt/veeam/upload/20210809T202229Z; echo $?; echo a4db692c-83d8-4e8c-960d-86b0237aa6fe
  190  touch /opt/veeam/upload/20210809T202229Z/VeeamTransport_11.0.0.839.tar.gz; echo $?; echo 8ef7fd97-40c7-4352-8df8-e43f762541cc
  191  chmod 0766 /opt/veeam/upload/20210809T202229Z/VeeamTransport_11.0.0.839.tar.gz; echo $?; echo b3aa6c00-349c-4a39-9e90-faa0f4e0e39e
  192  cp -f /home/vbruser/91387ce6-dab0-4d9f-b568-5315c1a51a89 /opt/veeam/upload/20210809T202229Z/VeeamTransport_11.0.0.839.tar.gz; echo $?; echo 4f09951a-08a4-48cb-91ab-8c18a777a41f
  193  chmod 0766 /opt/veeam/upload/20210809T202229Z/VeeamTransport_11.0.0.839.tar.gz; echo $?; echo 5bc4987d-f0a3-4543-b0b2-a81b72d20b81
  194  rm -f /home/vbruser/91387ce6-dab0-4d9f-b568-5315c1a51a89; echo $?; echo a4e7d73a-e2f5-47e5-bcfa-39e53a153e5c
  195  mkdir --parents /opt/veeam/transport/; echo $?; echo 9100fa2e-cf1b-49a1-b29d-46f3def0ac0c
  196  mkdir --parents /opt/veeam/transport/; echo $?; echo 9558efaf-b491-4a16-a76d-c230a3a1363c
  197  tar xvzf /opt/veeam/upload/20210809T202229Z/VeeamTransport_11.0.0.839.tar.gz -C /opt/veeam/transport/ --no-same-owner; echo $?; echo f4fdd411-5100-461e-ba13-eba1a63f90a9
  198  rm -rf /opt/veeam/upload/20210809T202229Z; echo $?; echo 99eed558-723a-473b-9ded-3b680d348828
  199  ls /opt/veeam/transport/veeamtransport; echo $?; echo fe636316-fb87-48d0-88d5-2a77f1685ab3
  200  /opt/veeam/transport/veeamtransport --install 6162; echo $?; echo 79ee47b0-6548-44c9-bbde-e134a7531ab9
  201  firewall-cmd --version; echo $?; echo 333a4090-988d-476c-8013-99a6aabcb269
  202  ufw status; echo $?; echo ca790d56-65eb-4fa2-ad62-fe0055c86fd5
  203  iptables --version; echo $?; echo 973baa0b-cde0-4ecd-a925-15832bba838f
  204  iptables -L INPUT --line-numbers -n; echo $?; echo 8cd4dbe1-2678-437a-a0b5-ecac8e7d83ba
  205  iptables -w -L INPUT --line-numbers -n; echo $?; echo 58342fc0-0ee3-4642-8f79-022d3ca600c1
  206  iptables -w -I INPUT -p tcp --dport 6162 -j ACCEPT -m comment --comment "Veeam transport rule"; echo $?; echo 4a2939ba-b6f2-45bb-a952-75939a59df47
  207  iptables -w -L OUTPUT --line-numbers -n; echo $?; echo c5957e76-07a3-4e36-b3e2-9396143c12ba
  208  iptables -w -I OUTPUT -p tcp --sport 6162 -j ACCEPT -m comment --comment "Veeam transport rule"; echo $?; echo 3d888435-86be-47b1-adce-b595e83069f8
  209  ls /opt/veeam/transport/veeamtransport; echo $?; echo ee0e6e2e-7079-4357-8169-7c89c630c220
  210  /opt/veeam/transport/veeamtransport --iptables-autoupdate; echo $?; echo 250eaee0-7a5b-44c9-acc2-a5a6cd97109c
  211  ls /opt/veeam/transport/veeamtransport; echo $?; echo 30bf1dbf-25f2-47d7-8057-a52e571fe053
  212  /opt/veeam/transport/veeamtransport --version; echo $?; echo 6d2d2b67-8778-4243-bfce-1f09f35f0234
  213  ls /opt/veeam/transport/veeamtransport; echo $?; echo 2b4e5827-b220-442b-b914-195d0d23753e
  214  /opt/veeam/transport/veeamtransport --get-port; echo $?; echo ea3a210c-d790-4a2b-90ad-6cac486ca7bd
  215  mkdir --parents /opt/veeam/upload/20210809T202237Z; echo $?; echo 2a7db737-ba3f-4586-97c7-ccf6618a6d18
  216  touch /opt/veeam/upload/20210809T202237Z/tmpEF08.tmp; echo $?; echo c1c2e411-c771-408a-8a6e-b6c287fbb3c4
  217  chmod 0766 /opt/veeam/upload/20210809T202237Z/tmpEF08.tmp; echo $?; echo 8d8c22bd-cc81-4219-a5d8-7bdbd1e35ab1
  218  cp -f /home/vbruser/6961e4ec-89f4-4165-879a-927a19502094 /opt/veeam/upload/20210809T202237Z/tmpEF08.tmp; echo $?; echo 8b82c04d-257e-4dd9-b094-e541a498799d
  219  chmod 0766 /opt/veeam/upload/20210809T202237Z/tmpEF08.tmp; echo $?; echo fb4a1294-2222-4ee4-8ad3-a30618e8ae46
  220  rm -f /home/vbruser/6961e4ec-89f4-4165-879a-927a19502094; echo $?; echo eaea4de3-3651-4d44-bfda-16c4332c2c16
  221  /opt/veeam/transport/veeamtransport --install-server-certificate /opt/veeam/upload/20210809T202237Z/tmpEF08.tmp; echo $?; echo 70322442-2192-43af-bd45-79db2ca3697e
  222  rm -rf /opt/veeam/upload/20210809T202237Z; echo $?; echo 0f98e177-d4f7-49db-8cbb-04d7c56fe615
  223  ls /opt/veeam/transport/veeamtransport; echo $?; echo e7fa6e30-960d-4bcd-acdb-9cd35bdccba7
  224  /opt/veeam/transport/veeamtransport --get-fingerprint; echo $?; echo 1fe5a39a-fcc9-4716-8353-bb57c249b0a9
  225  mkdir --parents /opt/veeam/upload/20210809T202237Z; echo $?; echo 1d063ec9-4fb5-431b-a1fb-3180aa6f9364
  226  touch /opt/veeam/upload/20210809T202237Z/tmpF022.tmp; echo $?; echo 853684b9-3806-469a-aa1d-16f7bbe5782e
  227  chmod 0766 /opt/veeam/upload/20210809T202237Z/tmpF022.tmp; echo $?; echo e6b81f9c-1b71-4f71-be50-b982529e7666
  228  cp -f /home/vbruser/13243fc1-39d1-48c4-bc61-1c66b6fe05e6 /opt/veeam/upload/20210809T202237Z/tmpF022.tmp; echo $?; echo 4d1a93b9-a1f1-49cf-87f2-35ab8453b72d
  229  chmod 0766 /opt/veeam/upload/20210809T202237Z/tmpF022.tmp; echo $?; echo 715ad123-1a75-4ec8-af7b-34d64249e2a3
  230  rm -f /home/vbruser/13243fc1-39d1-48c4-bc61-1c66b6fe05e6; echo $?; echo 90764ad2-2e5a-4eb6-a78c-028a0c6017e6
  231  /opt/veeam/transport/veeamtransport --install-certificate /opt/veeam/upload/20210809T202237Z/tmpF022.tmp; echo $?; echo 7be77d82-4c16-4776-a7e0-49c5566ad67f
  232  rm -rf /opt/veeam/upload/20210809T202237Z; echo $?; echo 4c998824-eb3d-4469-98ed-c2c508c44345
  233  ls /opt/veeam/transport/veeamtransport; echo $?; echo aa186395-59fb-4cff-93de-3e817a43a431
  234  /opt/veeam/transport/veeamtransport --set-user vbruser; echo $?; echo eb5f9e76-da4d-490a-9069-2b490cd64e33
  235  ls /opt/veeam/transport/veeamtransport; echo $?; echo d6c17298-683f-4f42-bef4-28f5a513c143
  236  /opt/veeam/transport/veeamtransport --set-option BaseLogDirectory --set-option-value /var/log/VeeamBackup; echo $?; echo edd23ed3-55bf-4aee-b239-42b5c782e667
  237  ls /opt/veeam/transport/veeamtransport; echo $?; echo bdcb475a-79ca-4bbe-a555-23754b3180b2
  238  /opt/veeam/transport/veeamtransport --restart; echo $?; echo 3cd68213-def8-4ff7-9efa-bca0c9ae61aa
  239  stty -echo
  240  export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 6d94b5b0-4fa5-463e-b051-8079e065f9e4
  241  whoami; echo $?; echo 0898a208-4d4e-4d5f-93ce-71e569869770
  242  unalias -a; echo $?; echo 58c901c3-d908-4bb4-bb01-197c1d13ec4d
  243  stty -echo
  244  export PS1="VEEAM_TERMINAL_PROMPT$"; echo $?; echo 10906af0-0f0f-447f-a6c5-22a7237cb9bd
  245  whoami; echo $?; echo 9338a0ab-5d05-425a-915f-3df7a0b2ea7b
  246  unalias -a; echo $?; echo 7f8a2f57-2af6-46fc-8b57-df2f5dc05426
  247  whoami; echo $?; echo 9a8d4f6c-ab6c-4e42-a8b7-cee7627bef04
  248  ls /opt/veeam/transport/veeamtransport; echo $?; echo 8d124fef-a229-4760-8484-007d9a14357e

[LickABrick]

I suppose you are logged in to the server with the same user you used in Veeam to setup the repo? In this case it is just the Veeam transport service doing its thing.

If in doubt check the /var/log/auth.log for suspicious activity
e.g. to show SSH activity use:

Code: Select all

cat /var/log/auth.log | grep ssh

It is recommended to disable SSH, but if this is not possible in your situation you can also enable OTP on SSH for additional security.

[unsichtbarre]

THX LickABrick,
Thought so, but checking.

[HannesK]

Hello,
yes, looks like Veeam commands.

Best regards,
Hannes