From owner-freebsd-questions@FreeBSD.ORG Mon Apr 30 04:29:04 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 162A41065670 for ; Mon, 30 Apr 2012 04:29:04 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id C94D98FC12 for ; Mon, 30 Apr 2012 04:29:02 +0000 (UTC) Received: by iahk25 with SMTP id k25so5086811iah.13 for ; Sun, 29 Apr 2012 21:29:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=zKhauqaNrXU2ekgId1qfuu8GdJ790OrgZwPSpy1H/uc=; b=gvP/inzxfly3gHQ/YkczF3baGd0jxrEH57NCljYQGem8R0bnEd0BS+e4LW05NVzZ8i trro7NZwTce+qy9iX5XoDyXaINuBhmhPe6bxr5LQVsq9g/Ljt+3XV6J4ByyQSttuk8/K 3rryoXortF+gF0YlaS+Zy7XdFei4WzX7FYHCNVQyLnf76xrfmwA9NRjrWHVc/2hC+HDS pNTwHKfE8/2KqRxExeZhupUMIytbNs6DS8//ZeYm2TvHqi7XF/+PECU6QQh7FnLSsU7l 9HJWNyRFEC+NaPG19/U09X/+jmRNF/aWXrCX07KDLBwtxHbkf1fsgIu+AqqR2h/t7z+H jP3w== MIME-Version: 1.0 Received: by 10.42.139.9 with SMTP id e9mr4460525icu.43.1335760142296; Sun, 29 Apr 2012 21:29:02 -0700 (PDT) Sender: aimass@yabarana.com Received: by 10.231.74.138 with HTTP; Sun, 29 Apr 2012 21:29:02 -0700 (PDT) In-Reply-To: <201204301049.39695.erich@alogreentechnologies.com> References: <201204281731.q3SHVaiM061997@mail.r-bonomi.com> <201204301049.39695.erich@alogreentechnologies.com> Date: Mon, 30 Apr 2012 00:29:02 -0400 X-Google-Sender-Auth: Su4xbZ2CJsW2YCSLPHG-Qg0ePwM Message-ID: From: Alejandro Imass To: Erich Dollansky Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkdgNDI2vk17AcKaC/mVClEqrSntcSXjry6/3X5Aq390e8muKf/wRBSwWgn+w0jSPgaGUhw Cc: jb , freebsd-questions@freebsd.org Subject: Re: UFS Crash and directories now missing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2012 04:29:04 -0000 On Sun, Apr 29, 2012 at 11:49 PM, Erich Dollansky wrote: > Hi, > > On Monday 30 April 2012 02:02:41 jb wrote: >> Alejandro Imass p2ee.org> writes: >> >> > ... >> > > What you should do right now is to get some recent general or securi= ty cd/dvd >> > > with chkrootkit and rkhunter and run them from that external read-on= ly media. >> > > I would also suggest that you look over config files of all packages >> > > involved. >> > > jb >> > > >> > >> > Thanks! Will do, but I don't know of any FreeBSD and/or derived >> > distros for security. Or can I use any Linux security distro? I >> > remember reading about some trouble of Linux chkrootkit on FBSD.... >> >> It looks like you have only one choice with prebuilt rkhunter package on= ly: >> http://www.freebsd.org/releases/9.0R/announce.html >> >> dvd1 >> This contains everything necessary to install the base FreeBSD operating= system, >> a collection of pre-built packages aimed at getting a graphical workstat= ion up >> and running. It also supports booting into a "livefs" based rescue mode.= This >> should be all you need if you can burn and use DVD-sized media. >> >> ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/security/ >> rkhunter-1.3.8_1.tbz =A0 =A0 =A0 =A0 =A004/18/12 =A0 =A0 =A0 =A018:56:00 >> >> With regard to verification of config =A0files - you said you got backup= s (those >> pre-incident would be best) and you have the incident-time files, so do = a diff >> on dirs (in particular /etc and /usr/local/etc) >> > I would burn the backup of these files to an optical disk, start the syst= em and do a diff as the first step. The system can be started from an USB d= rive (take the 9.0 installation image) or DVD. > > Of course, rkhunter can be started in the second step. ran both, found nothing Back to theory on how the http-proxy jail 'swallowed' all the other jails including the basejail. I noticed that jail had a not so old bug in 2010 FBSD 8.0 which The jail(8) utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants. Reference: http://security.freebsd.org/advisories/FreeBSD-SA-10:04.jail.asc Given that EzJail uses a single basejail and links/mounts stuff in the child jails it would seem plausible (regression?) that somehow any jail could access other jails' files, or that _maybe_ in an event of crash the nullsfs mounts confuse the system somehow when fsck restores or the journal is recovered. Whatever the cause, it actually happened and I have already ruled out just about anything. It doesn't seem to have been an attack, it surely wasn't me, and EzJail author agrees it was not the EzJail scripts. So maybe nullfs and journaling, or crash + nullfs + journaling, could cause something like this to happen? Maybe journal has some confusion on restoring the nullfs view of the directories or something after bad crash like this one??