From owner-freebsd-security@FreeBSD.ORG Sat Apr 26 09:56:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B4CE3EC for ; Sat, 26 Apr 2014 09:56:34 +0000 (UTC) Received: from bay0-omc3-s22.bay0.hotmail.com (bay0-omc3-s22.bay0.hotmail.com [65.54.190.160]) by mx1.freebsd.org (Postfix) with ESMTP id 7649318FA for ; Sat, 26 Apr 2014 09:56:34 +0000 (UTC) Received: from BAY180-W44 ([65.54.190.188]) by bay0-omc3-s22.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 26 Apr 2014 02:55:28 -0700 X-TMN: [bQ+yJhGFN79F9+aEccAPG1LvHPZo25QP] X-Originating-Email: [jp4314@outlook.com] Message-ID: From: Joe Parsons To: "freebsd-security@freebsd.org" Subject: am I NOT hacked? Date: Sat, 26 Apr 2014 05:55:28 -0400 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 26 Apr 2014 09:55:28.0095 (UTC) FILETIME=[A70EA6F0:01CF6135] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 09:56:34 -0000 I was slow to patch my multiple vms after that heartbleed disclosure. I ju= st managed to upgrade these systems to 9.2=2C and installed the patched ope= nssl=2C then started changing passwords for root and other shell users. Ho= wever I realized that=2C only the root password was changed. For other use= rs=2C even though the "passwd userid" issued no warning=2C and "echo $?" is= 0=2C the password is NOT changed. For more debugging=2C I tried to "adduser"=2C the command was successful=2C= and I can see the new entry "test" in /etc/passwd. However "finger test" c= omplains no such user! Also=2C "rm test" complains there is no such user t= o delete as well. Furthermore=2C the mail server got problem sending email=2C the log file sa= id there is no such user "postfix"=2C and sure enough: # finger postfix finger: postfix: no such user while this "postfix" user certainly existed for years=2C and I can see see = its entry in /etc/passwd. This appeared to all the multiple vms on multiple hosts=2C all running Free= BSD 9.2 now. I was paranoid=2C I really should have patched all these systems immediatel= y reading that heartbleed news=2C as all these servers had the vulnerable o= penssl port installed! Until googling and I found this:=20 https://forums.freebsd.org/viewtopic.php?&t=3D29644 it said "The user accounts are actually stored in a database. It's possible= it got out of sync with your [file]/etc/passwd[/file] file."=2C and it sug= gested running "vipw" to fix it. I ran vipw=2C then saved=2C and quit. No joy. Then ran vipw again=2C made= a change=2C then undid the change=2C save again. Now "finger postfix" fou= nd the user=2C and I can change user password now=2C and all the above prob= lem disappeared. Am I right that=2C that I am NOT hacked? Is the above problem produced by = the freebsd-update process? Is this supposed to happen? I just followed t= he handbook to update from 9.1-RELEASE to 9.2-RELEASE=2C never compiled ker= nel or tweak. Thank you! Joe =