From owner-freebsd-questions@freebsd.org Mon Feb 27 15:25:59 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55E87CF06C7 for ; Mon, 27 Feb 2017 15:25:59 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.20.71]) by mx1.freebsd.org (Postfix) with ESMTP id 34EEBEA7 for ; Mon, 27 Feb 2017 15:25:58 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id E42A7CB8C9C; Mon, 27 Feb 2017 09:25:51 -0600 (CST) Received: from 128.135.52.6 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Mon, 27 Feb 2017 09:25:51 -0600 (CST) Message-ID: <34847.128.135.52.6.1488209151.squirrel@cosmo.uchicago.edu> In-Reply-To: <20170227145725.81ca3555a2fbfa472fa3e6a6@sohara.org> References: <20170227111307.5441830c@kalimero.tijl.coosemans.org> <20170227145725.81ca3555a2fbfa472fa3e6a6@sohara.org> Date: Mon, 27 Feb 2017 09:25:51 -0600 (CST) Subject: Re: home directory overridden by root? From: "Valeri Galtsev" To: "Steve O'Hara-Smith" Cc: freebsd-questions@freebsd.org Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2017 15:25:59 -0000 On Mon, February 27, 2017 8:57 am, Steve O'Hara-Smith wrote: > On Mon, 27 Feb 2017 06:44:42 -0800 > Paul Beard wrote: > >> >> > On Feb 27, 2017, at 2:13 AM, Tijl Coosemans wrote: >> > >> > If that's not correct check if some login script sets that variable >> > and remove that. Its value should be correct by default. >> >> I have no idea what could set that other than that some . script. But I >> found nothing that set any environment variables. > > Those or login.conf or /etc/profile are about the only places it > should be able to happen. > >> I created a .bashrc that explicitly sets it for now. I may create a new >> user and see if that account gets its $HOME set properly. > > HOME normally gets set up correctly so something is awry on your > system. Creating another user is well worth doing, it will tell you > straight away whether the problem is in your own environment setup or in > the system. There is one more possibility: the problem was in the system the moment "defunct" user was created. But since they it was fixed. The fact that it is not there anymore may merely be due to the fact that intruders did "sweep up" of their traces after they installed backdoor for themselves. Alternatively, there just could have been typo on command line when you were creating "defunct" account. But I agree, creating one more account will give you additional information in figuring out what's wrong. Unless all weirdness is explained and has benign reasons, I would assume the machine compromised and follow compromise recovery procedures (back up user data, re-format the drive, install fresh system, patch, secure system, re-create users, restore user data; and make sure all users know about potential event of compromise, use different passwords, and change passwords everywhere else where they logged in from compromised machine). All in all, finding out reasons of weirdness is less hassle than blindly assuming compromise and following recovery procedure. Good luck! Valeri > > -- > Steve O'Hara-Smith > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++