Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

Join our "Ask Me About" community webinar on May 20th at 9 AM CET and 5 PM CET to explore cybersecurity and monitoring for Data Center and edge IT. Learn about market trends, cutting-edge technologies, and best practices from industry experts.
Register and secure your Critical IT infrastructure

StruxureWare DCE Back-Up Jobs

EcoStruxure IT forum

Schneider Electric support forum about installation and configuration for DCIM including EcoStruxure IT Expert, IT Advisor, Data Center Expert, and NetBotz

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • EcoStruxure IT
  • EcoStruxure IT forum
  • StruxureWare DCE Back-Up Jobs
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
Cory_McDonald
Admiral Cory_McDonald Admiral
124
Jef
Admiral Jef Admiral
108
gsterling
Captain gsterling Captain
71
APC_Steve
Captain APC_Steve Captain
62
View All

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to EcoStruxure IT forum
Solved
BartZ
Ensign BartZ
Ensign

Posted: ‎2023-01-13 06:42 AM

1 Like
4
1082
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2023-01-13 06:42 AM

StruxureWare DCE Back-Up Jobs

At a customer of ours, a backup job runs every Friday night.

Only during the backup, the security scanner noticed that the following file was created: ....\opt\netbotz\data\ddfs\.revision.txt.4ImcRY

 

Is this normal behavior of a backup job, maybe a temporary file. Or is this possibly randsomeware?

They run StruxureWare version 7.9.0

 

Thanks in advance for your help!

Labels
  • Labels:
  • Data Center Expert
  • Tags:
  • english
Reply

Link copied. Please paste this link to share this article on your social media post.

  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
mwhelihan
Ensign mwhelihan Ensign
Ensign

Posted: ‎2023-01-13 11:53 AM

2 Likes
1
1066
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2023-01-13 11:53 AM

Hello @BartZ,

Yes, it is always best to be cautious about potential ransomware. A few follow up questions:

1. Are you seeing any issues with DCE or the backups?
2. Can you confirm that the security scanner is flagging the file on your backup server and not the DCE server itself? We are assuming that it is on your backup server.

3. Is the .revision.txt.4lmcRY file always present or only present temporarily? It sounds like a temporary file created during backup, but it is likely not something that is present for a long time and we are having difficulty reproducing the creation of that file (or something like it) during a backup.

4. Are you able to open the .revision.txt.4lmcRY file and inspect the contents on a computer that is not connected to any network and you are ok exposing to a potentially malicious file?

 

See Answer In Context

Reply

Link copied. Please paste this link to share this article on your social media post.

Shaun
Commander Shaun Commander
Commander

Posted: ‎2023-01-13 03:06 PM . Last Modified: ‎2023-01-13 04:18 PM

3 Likes
1
1061
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2023-01-13 03:06 PM . Last Modified: ‎2023-01-13 04:18 PM

Hi,

 

This is the usual behavior of the rsync utility.  When transferring the file "example.txt", it will create a file named example.txt.random - the random suffix is intended to prevent collisions. The contents are then transferred into this temporary file, and once it's complete, it's renamed to the intended "example.txt".

 

(This temporary file may be prefixed with a single dot to make it hidden on unix-like systems.  This is dependent on the rsync version.)

 

The purpose of this is to make transfers atomic - if you have an existing "example.txt", it won't be replaced until after the transfer is complete.  This stops disrupted transfers from leaving you with neither the previous version nor the transferred version - the result should either successful, or as if nothing happened, and never a broken half-way.

 

I can't speak to why your scanner might flag it - the only difference between this file and every other file creating during the backup, is that this one is tiny, so the temporary file is very short-lived.  But it's short-term existence is what I'd expect to see during (but not after) the backup.

 

(If you do choose to inspect this file, what I'd expect it to contain is 40 hexadecimal chars - a sha1sum that I presume identifies a revision out of a version control system. If the file is not 41 bytes, I'd consider that a red flag.)

 

The easiest way I can replicate this is to run a network capture on a backup running over nfsv3.  For each file I get create, setattr, write, commit & rename operations.  You can see the temporary name being used in the create operation, and the rename operation changing it to the expected filename.  It can be tough to catch them in the act otherwise, as they're very short-lived.

 

To be clear - I'm not suggesting there's nothing wrong - it'd be dangerous of me to do so.  I'm describing the behavior I expect to see, so you can see if it meshes with what you're actually seeing.

See Answer In Context

Reply

Link copied. Please paste this link to share this article on your social media post.

Replies 4
mwhelihan
Ensign mwhelihan Ensign
Ensign

Posted: ‎2023-01-13 11:53 AM

2 Likes
1
1067
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2023-01-13 11:53 AM

Hello @BartZ,

Yes, it is always best to be cautious about potential ransomware. A few follow up questions:

1. Are you seeing any issues with DCE or the backups?
2. Can you confirm that the security scanner is flagging the file on your backup server and not the DCE server itself? We are assuming that it is on your backup server.

3. Is the .revision.txt.4lmcRY file always present or only present temporarily? It sounds like a temporary file created during backup, but it is likely not something that is present for a long time and we are having difficulty reproducing the creation of that file (or something like it) during a backup.

4. Are you able to open the .revision.txt.4lmcRY file and inspect the contents on a computer that is not connected to any network and you are ok exposing to a potentially malicious file?

 

Reply

Link copied. Please paste this link to share this article on your social media post.

Shaun
Commander Shaun Commander
Commander

Posted: ‎2023-01-13 03:06 PM . Last Modified: ‎2023-01-13 04:18 PM

3 Likes
1
1062
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2023-01-13 03:06 PM . Last Modified: ‎2023-01-13 04:18 PM

Hi,

 

This is the usual behavior of the rsync utility.  When transferring the file "example.txt", it will create a file named example.txt.random - the random suffix is intended to prevent collisions. The contents are then transferred into this temporary file, and once it's complete, it's renamed to the intended "example.txt".

 

(This temporary file may be prefixed with a single dot to make it hidden on unix-like systems.  This is dependent on the rsync version.)

 

The purpose of this is to make transfers atomic - if you have an existing "example.txt", it won't be replaced until after the transfer is complete.  This stops disrupted transfers from leaving you with neither the previous version nor the transferred version - the result should either successful, or as if nothing happened, and never a broken half-way.

 

I can't speak to why your scanner might flag it - the only difference between this file and every other file creating during the backup, is that this one is tiny, so the temporary file is very short-lived.  But it's short-term existence is what I'd expect to see during (but not after) the backup.

 

(If you do choose to inspect this file, what I'd expect it to contain is 40 hexadecimal chars - a sha1sum that I presume identifies a revision out of a version control system. If the file is not 41 bytes, I'd consider that a red flag.)

 

The easiest way I can replicate this is to run a network capture on a backup running over nfsv3.  For each file I get create, setattr, write, commit & rename operations.  You can see the temporary name being used in the create operation, and the rename operation changing it to the expected filename.  It can be tough to catch them in the act otherwise, as they're very short-lived.

 

To be clear - I'm not suggesting there's nothing wrong - it'd be dangerous of me to do so.  I'm describing the behavior I expect to see, so you can see if it meshes with what you're actually seeing.

Reply

Link copied. Please paste this link to share this article on your social media post.

BartZ
Ensign BartZ
Ensign

Posted: ‎2023-01-16 02:55 AM

In response to Shaun
1 Like
0
1028
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2023-01-16 02:55 AM

Dear Shaun,


Thank you for your comprehensive and articulate answer!


We were already almost of the opinion that this was a temporary file that was short on the server and eventually becomes a final file with the correct extension.

I am afraid that exactly at the time of creation, the security scanner started scanning and came across this temporary file.

 

By this response, we know that no further (necessary) actions are required.

 

Thanks again!

Reply

Link copied. Please paste this link to share this article on your social media post.

BartZ
Ensign BartZ
Ensign

Posted: ‎2023-01-16 03:03 AM

In response to mwhelihan
0 Likes
0
1027
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2023-01-16 03:03 AM

Hello Mwhelihan,

 

Thank you for your reply!

1. No there were no other problems with the backup. It was purely this file that set off the security scanner.
2. It is indeed that the security scanner flagged the file on the backup server as potentially randsomeware.
3. It was a temporary file if I also saw Shaun's reply on this forum. The temporary file was only deleted by the scanner though. In the previous backups, we also saw that the file was named \revision.txt. without the random characters.
4. Unfortunately, this file no longer exists because it was deleted immediately.

 

But it seems to be a temporary file that is only on the server for a short time and exactly at that time the security scanner may have performed a scan and encountered this file.

Reply

Link copied. Please paste this link to share this article on your social media post.

Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

This is a heading

With achievable small steps, users progress and continually feel satisfaction in task accomplishment.

Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.

of