Date: Fri, 18 Jan 2013 00:43:06 +0000 From: Ben Morrow <ben@morrow.me.uk> To: feld@feld.me, freebsd-stable@freebsd.org Subject: Re: freebsd-update IDS Message-ID: <20130118004306.GA48310@anubis.morrow.me.uk> In-Reply-To: <op.wq16c1cu34t2sn@markf.office.supranet.net> References: <50D56D4B.4060709@webmail.sub.ru> <20121222032541.0ceb9f56@tech304> <50F7FB12.5040602@webmail.sub.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoth Mark Felder <feld@feld.me>: > On Thu, 17 Jan 2013 07:22:26 -0600, Alex Povolotsky > <tarkhil@webmail.sub.ru> wrote: > > > It was a break-in. Some dumb php script running with user privileges > > managed FreeBSD to hang on disk io up to stopping responding to anything > > besides reset. > > Yikes! Make sure to run freebsd-update IDS to check the base OS's > checksums and if you're using pkgng you can use "pkg check-s" to look for > any tampered with files owned by packages. Make sure you read the caveats in the freebsd-update manpage before trusting the IDS result. At the very least you need to delete /var/db/freebsd-update, /etc/freebsd-update.conf and /usr/sbin/freebsd-update itself and replace them with known-good copies. Ideally you should run the tests from an entirely separate known-good instance of the OS, though in practice it's probably easier to just replace the OS and packages from known-good sources and then set about recovering and verifying the data. cf. the story about patching cc to patch cc to patch login... Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130118004306.GA48310>