Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 26 Apr 2014 14:17:13 -0400
From:      Joe Parsons <jp4314@outlook.com>
To:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   RE: am I NOT hacked?
Message-ID:  <BAY180-W19B6B2EB8597AA9F6383A4C4450@phx.gbl>
In-Reply-To: <BAY180-W6170BEC00A4018BBB261EFC4450@phx.gbl>
References:  <BAY180-W44C86C61CA8027AC418DD8C4450@phx.gbl>, , <CAK-wPOjM6oSuMc-ogzEPX62-Z8xNJWyKrHCJ=hUg1EwK%2BMAjCA@mail.gmail.com>, <BAY180-W6170BEC00A4018BBB261EFC4450@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help 
Sorry=2C one paragraph of my last reply appears to be screwed up on the web=
 archive.   You can ignore that reply and just read the following.  I'm sor=
ry for the confusion.  =20
=20
=20
Ok=2C thanks a lot for all your kind help.  I learned the pwd_mkdb manpage =
and the databases as you suggested.=0D
=20
To clarify=2C I understand 9.1 kernel contains the non-vulnerable version o=
f openssl library=2C hence mere apache/https is not vulnerable.  However th=
e vulnerable openssl port is installed for the mail software to provide ima=
ps/pops/smtps services=2C so they are vulnerable.=0D
=20
The following reply is what I'm confused:=0D
=20
> In any case=2C heartbleed does *not* facilitate remote code execution or=
=0D
> code injection=2C only information retrieval=2C so unless your passwords=
=0D
> were stored in cleartext (or a weakly hashed form) in the memory of an=0D
> Internet-facing SSL-enabled service (such as https=2C smtp with STARTTLS=
=0D
> or imaps=2C but not ssh)=2C you cannot have been "hacked" as a consequenc=
e=0D
> of heartbleed.=0D
=20
I ssh into the system=2C and I /usr/bin/su to become root.  Do my shell pas=
swords show up in in clear text in the memory briefly=2C so the attacker co=
uld happen to harvest them?  In another word=2C on a system with the vulner=
able openssl port=2C do we need to change the shell password for root and o=
ther users=2C if these passwords are ONLY used in ssh and /usr/bin/su ?=0D
=20
I googled and found few result=2C almost all are focused on changing user m=
ail passwords and server certificates.  Only found this page said they chan=
ged server root password:=0D
=20
http://digitalopera.com/geek-rants/what-were-doing-to-combat-heartbleed/=0D
=20
Thanks=2C Joe
 		 	   		  =

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY180-W19B6B2EB8597AA9F6383A4C4450>