From owner-freebsd-stable@FreeBSD.ORG Fri Jan 18 00:43:13 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 978B85FF for ; Fri, 18 Jan 2013 00:43:13 +0000 (UTC) (envelope-from mauzo@anubis.morrow.me.uk) Received: from isis.morrow.me.uk (isis.morrow.me.uk [204.109.63.142]) by mx1.freebsd.org (Postfix) with ESMTP id 6409EFBD for ; Fri, 18 Jan 2013 00:43:12 +0000 (UTC) Received: from anubis.morrow.me.uk (host109-150-212-220.range109-150.btcentralplus.com [109.150.212.220]) (Authenticated sender: mauzo) by isis.morrow.me.uk (Postfix) with ESMTPSA id A9B81450CE; Fri, 18 Jan 2013 00:43:11 +0000 (UTC) X-DKIM: OpenDKIM Filter v2.4.1 isis.morrow.me.uk A9B81450CE DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=morrow.me.uk; s=dkim201101; t=1358469792; bh=ol6ynr0zo+XzTsu9GE6stiU6dUOiwsNMpFh2llh95Wg=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=zMt8BfRt/bB7zkj0KHCLHE1sjxasOrFGZg+J2ZhL4Q2rSwcvHxL1xSjhd4jwCOsd4 FP7E3G7Bf54hOb8hd65cMHw12FkPioeoZALmci/VUqXZYp4ZXVw7nUf9cgcAUuxG1S Wh7oSq4A1YyoGCldAjydhSyICDdECjIClunKh5Vw= X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.5 at isis.morrow.me.uk Received: by anubis.morrow.me.uk (Postfix, from userid 5001) id A58668BFD; Fri, 18 Jan 2013 00:43:06 +0000 (GMT) Date: Fri, 18 Jan 2013 00:43:06 +0000 From: Ben Morrow To: feld@feld.me, freebsd-stable@freebsd.org Subject: Re: freebsd-update IDS Message-ID: <20130118004306.GA48310@anubis.morrow.me.uk> References: <50D56D4B.4060709@webmail.sub.ru> <20121222032541.0ceb9f56@tech304> <50F7FB12.5040602@webmail.sub.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Newsgroups: gmane.os.freebsd.devel.hardware,gmane.os.freebsd.stable Organization: morrow.me.uk User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jan 2013 00:43:13 -0000 Quoth Mark Felder : > On Thu, 17 Jan 2013 07:22:26 -0600, Alex Povolotsky > wrote: > > > It was a break-in. Some dumb php script running with user privileges > > managed FreeBSD to hang on disk io up to stopping responding to anything > > besides reset. > > Yikes! Make sure to run freebsd-update IDS to check the base OS's > checksums and if you're using pkgng you can use "pkg check-s" to look for > any tampered with files owned by packages. Make sure you read the caveats in the freebsd-update manpage before trusting the IDS result. At the very least you need to delete /var/db/freebsd-update, /etc/freebsd-update.conf and /usr/sbin/freebsd-update itself and replace them with known-good copies. Ideally you should run the tests from an entirely separate known-good instance of the OS, though in practice it's probably easier to just replace the OS and packages from known-good sources and then set about recovering and verifying the data. cf. the story about patching cc to patch cc to patch login... Ben