Date: Fri, 18 Jan 2013 00:43:06 +0000 From: Ben Morrow <ben@morrow.me.uk> To: feld@feld.me, freebsd-stable@freebsd.org Subject: Re: freebsd-update IDS Message-ID: <20130118004306.GA48310@anubis.morrow.me.uk> In-Reply-To: <op.wq16c1cu34t2sn@markf.office.supranet.net> References: <50D56D4B.4060709@webmail.sub.ru> <20121222032541.0ceb9f56@tech304> <50F7FB12.5040602@webmail.sub.ru>
index | next in thread | previous in thread | raw e-mail
Quoth Mark Felder <feld@feld.me>: > On Thu, 17 Jan 2013 07:22:26 -0600, Alex Povolotsky > <tarkhil@webmail.sub.ru> wrote: > > > It was a break-in. Some dumb php script running with user privileges > > managed FreeBSD to hang on disk io up to stopping responding to anything > > besides reset. > > Yikes! Make sure to run freebsd-update IDS to check the base OS's > checksums and if you're using pkgng you can use "pkg check-s" to look for > any tampered with files owned by packages. Make sure you read the caveats in the freebsd-update manpage before trusting the IDS result. At the very least you need to delete /var/db/freebsd-update, /etc/freebsd-update.conf and /usr/sbin/freebsd-update itself and replace them with known-good copies. Ideally you should run the tests from an entirely separate known-good instance of the OS, though in practice it's probably easier to just replace the OS and packages from known-good sources and then set about recovering and verifying the data. cf. the story about patching cc to patch cc to patch login... Benhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130118004306.GA48310>