From owner-freebsd-questions@FreeBSD.ORG  Mon Apr 30 03:49:45 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7E5B01065670
	for <freebsd-questions@freebsd.org>;
	Mon, 30 Apr 2012 03:49:45 +0000 (UTC)
	(envelope-from erich@alogreentechnologies.com)
Received: from alogreentechnologies.com (alogreentechnologies.com
	[67.212.226.44])
	by mx1.freebsd.org (Postfix) with ESMTP id 4A2C78FC08
	for <freebsd-questions@freebsd.org>;
	Mon, 30 Apr 2012 03:49:45 +0000 (UTC)
Received: from amd620.ovitrap.com ([49.128.188.2]) (authenticated bits=0)
	by alogreentechnologies.com (8.13.1/8.13.1) with ESMTP id
	q3U3nN4Y001502; Sun, 29 Apr 2012 21:49:34 -0600
From: Erich Dollansky <erich@alogreentechnologies.com>
Organization: ALO Green Technologies Pte Ltd
To: freebsd-questions@freebsd.org
Date: Mon, 30 Apr 2012 10:49:39 +0700
User-Agent: KMail/1.13.7 (FreeBSD/8.3-STABLE; KDE/4.7.4; amd64; ; )
References: <201204281731.q3SHVaiM061997@mail.r-bonomi.com>
	<CAHieY7TD=M-UR4kv_EJAYiZUQBEEGL2rMUKSnMRw+0nBBtQGxA@mail.gmail.com>
	<loom.20120429T205328-815@post.gmane.org>
In-Reply-To: <loom.20120429T205328-815@post.gmane.org>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201204301049.39695.erich@alogreentechnologies.com>
Cc: jb <jb.1234abcd@gmail.com>
Subject: Re: UFS Crash and directories now missing
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2012 03:49:45 -0000

Hi,

On Monday 30 April 2012 02:02:41 jb wrote:
> Alejandro Imass <ait <at> p2ee.org> writes:
> 
> > ... 
> > > What you should do right now is to get some recent general or security cd/dvd
> > > with chkrootkit and rkhunter and run them from that external read-only media.
> > > I would also suggest that you look over config files of all packages 
> > > involved.
> > > jb
> > >
> > 
> > Thanks! Will do, but I don't know of any FreeBSD and/or derived
> > distros for security. Or can I use any Linux security distro? I
> > remember reading about some trouble of Linux chkrootkit on FBSD....
> 
> It looks like you have only one choice with prebuilt rkhunter package only:
> http://www.freebsd.org/releases/9.0R/announce.html  
> 
> dvd1
> This contains everything necessary to install the base FreeBSD operating system,
> a collection of pre-built packages aimed at getting a graphical workstation up
> and running. It also supports booting into a "livefs" based rescue mode. This
> should be all you need if you can burn and use DVD-sized media.
> 
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/security/
> rkhunter-1.3.8_1.tbz 		04/18/12 	18:56:00
> 
> With regard to verification of config  files - you said you got backups (those
> pre-incident would be best) and you have the incident-time files, so do a diff
> on dirs (in particular /etc and /usr/local/etc) 
> 
I would burn the backup of these files to an optical disk, start the system and do a diff as the first step. The system can be started from an USB drive (take the 9.0 installation image) or DVD.

Of course, rkhunter can be started in the second step.

Erich