From owner-freebsd-security@FreeBSD.ORG Sat Apr 26 17:02:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D3D923F5 for ; Sat, 26 Apr 2014 17:02:53 +0000 (UTC) Received: from mail-lb0-f181.google.com (mail-lb0-f181.google.com [209.85.217.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46E7E1DD1 for ; Sat, 26 Apr 2014 17:02:52 +0000 (UTC) Received: by mail-lb0-f181.google.com with SMTP id z11so2659070lbi.26 for ; Sat, 26 Apr 2014 10:02:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=d0sQpmyexwIdroEAE76VmRP1W6v5y7u+rJz+qoU+RB0=; b=WLmnA0/x31bfSDoBjRf0CQXryWfSxKNFL2iK8mmxkSPJFiHaY8F2yrzzJyo8foB4Y1 LQTs/3BY6SvKINZo9MqbOK51NOtP7Vc9+GhlvcWnpb7oqWxCijivYnGU9dQRY2DNBG0P Q11J6hBaMIJM5QsfdXaEmhYMe2Mr/zM6Yhwf1x9yHybviiNCeobZbd2SuKsSIQYJCgO+ ozoGtcvXXnfJy4NDRhsCmoSrgv6lMr4RrG3/n8gEQZVuWfROesvYxJ46KEIGa8fyaQK/ twlY6w0AVDSnE+0sfkNk0S9w5XFxzu/Ao/GWELMHVke1f65RHt9VXaTAB6g9m/AqnhBy CRVg== X-Gm-Message-State: ALoCoQlzKGhcIxwZhuOhcyrKGj9u/qWuHB6pfSbcsZkq4eRv5CCOmjgyxD39CEh+sK6bwhJLqkxd X-Received: by 10.152.30.41 with SMTP id p9mr10803934lah.26.1398531765445; Sat, 26 Apr 2014 10:02:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.39.71 with HTTP; Sat, 26 Apr 2014 10:02:05 -0700 (PDT) X-Originating-IP: [208.54.40.253] In-Reply-To: References: From: Leif Pedersen Date: Sat, 26 Apr 2014 12:02:05 -0500 Message-ID: Subject: Re: am I NOT hacked? To: Joe Parsons Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 17:02:54 -0000 Joe, Just thinking about this practically, I don't think you were compromised. It seems more like you goofed the upgrade in the same way on each VM. Also, if I were attacking, I wouldn't leave such overt traces that one would immediately notice. And if the attacker were goofing up that badly, he'd likely not do it the same way on every VM. Not that assuming anything about an attacker's intelligence guarantees anything, but it does seem like an odd thing to do. Not to mention other's comments about pre-10 not being vulnerable, and local compromise requiring that your password or SSH key was read by a process serving SSL sockets. If you decide it's likely your system was compromised while it was vulnerable, shutting off the system is a priority to stop ongoing damages. Then you have to mount its disks in a clean system so that whatever bad stuff (bots, backdoors, etc) the attacker added don't just start again at reboot, and to be sure the attacker doesn't merely add backdoors back while you take them away. It's hard to be sure you fixed every single file that was touched ...executables, dynamic libs, configs, and much more contain subtle ways to leave a back door, and one could even patch the kernel to hide a malicious process in memory. Starting from a fresh install and copying your data over is really the quickest and safest approach. Since "restore your data" usually means home directories, be sure to check everyone's .ssh/authorized_keys for unwanted entries before copying. Try "man pwd_mkdb" for info on the password database; especially look under the "FILES" heading. It's a good subsystem to know more about anyway, and not complicated. It is perhaps easier to remember that using vipw to add a blank line will sync everything than to remember the cryptic "pwd_mkdb -p /etc/master.passwd" command though. Actually having a machine compromised is no fun; I've been there. I do hope that's not the case for you. - Leif On Sat, Apr 26, 2014 at 4:55 AM, Joe Parsons wrote: > I was slow to patch my multiple vms after that heartbleed disclosure. I > just managed to upgrade these systems to 9.2, and installed the patched > openssl, then started changing passwords for root and other shell users. > However I realized that, only the root password was changed. For other > users, even though the "passwd userid" issued no warning, and "echo $?" is > 0, the password is NOT changed. > > For more debugging, I tried to "adduser", the command was successful, and > I can see the new entry "test" in /etc/passwd. However "finger test" > complains no such user! Also, "rm test" complains there is no such user to > delete as well. > > Furthermore, the mail server got problem sending email, the log file said > there is no such user "postfix", and sure enough: > > # finger postfix > finger: postfix: no such user > > while this "postfix" user certainly existed for years, and I can see see > its entry in /etc/passwd. > > This appeared to all the multiple vms on multiple hosts, all running > FreeBSD 9.2 now. > > I was paranoid, I really should have patched all these systems immediately > reading that heartbleed news, as all these servers had the vulnerable > openssl port installed! > > Until googling and I found this: > > https://forums.freebsd.org/viewtopic.php?&t=29644 > > it said "The user accounts are actually stored in a database. It's > possible it got out of sync with your [file]/etc/passwd[/file] file.", and > it suggested running "vipw" to fix it. > > I ran vipw, then saved, and quit. No joy. Then ran vipw again, made a > change, then undid the change, save again. Now "finger postfix" found the > user, and I can change user password now, and all the above problem > disappeared. > > Am I right that, that I am NOT hacked? Is the above problem produced by > the freebsd-update process? Is this supposed to happen? I just followed > the handbook to update from 9.1-RELEASE to 9.2-RELEASE, never compiled > kernel or tweak. > > Thank you! Joe > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig