Date: Mon, 29 Dec 2003 15:09:17 -0500 (EST) From: Jaime <jaime@snowmoon.com> To: freebsd-questions@freebsd.org Subject: Re: uname weirdness after kernel/OS update Message-ID: <20031229150646.R5733@malkav.snowmoon.com>
next in thread | raw e-mail | index | archive | help
The following is my most recent email message to someone who was helping me with a very odd uname issue. I hope that this reporting of the "final" events (oh-god-pleaselet-this-be-done-and-over-with) helps someone else some day. The offer that I make at the end of my message is genuine. If a FreeBSD expert (Greg? *nudge*) wants the /boot files, they can have them. Jaime ---------- Forwarded message ---------- Date: Mon, 29 Dec 2003 15:05:07 -0500 (EST) From: jaime@snowmoon.com To: T Kellers <kellers@njit.edu> Subject: Re: compiled kernel file After lots of various ideas, including kernels compiled on different boxes (e.g. the one that you sent) nothing seemed to work. Then, I noticed that not everything in / was being listed when I typed "ls" at the boot manager. This is when I started getting creative. I used sysinstall's disk slice editor to put a new MBR onto the drive and removed /boot. The next attempt to boot refused to mount any of my SCSI drives and it showed a few files in / that were different than they should be. For example, /proc was missing, /homes (an older attempt to make home directories exist on /homes/students and /homes/staff left this directory behind) was back -- even though I thought that I removed it -- and /home was gone, and the most recent etc-*.tar.gz backup of /etc (which I made before the 12/23/03 cvsup) was missing. It was as if I suddenly took a trip backwards in time for this partition by at least a few months. My best guess is that someone had hidden the real / partition and put their own partition (or disk image?) in its place, using a compromised boot loader. This would explain why using "ls" at the boot loader produced a different list of files than "ls" at the single-user shell showed. It also explains why new kernels wouldn't load, making uname give "bad" results on a "new" kernel. It was reporting data about the kernel that the cracker had given it! I again removed /boot, /usr/src, and /usr/obj, just in case these were violated, too. I did a new cvsup, make buildworld, make buildkernel, make installkernel, and rebooted into single user mode. The / partition was the way I had left it, not the way it was when the symptoms were noticed. So I kept going and did a make installworld and a mergemaster and then rebooted again. Everything seems to be working well now. uname now says: zeus:jkikpole>uname -a FreeBSD zeus.cairodurham.org 4.9-STABLE FreeBSD 4.9-STABLE #0: Mon Dec 29 13:46:57 EST 2003 root@:/usr/obj/usr/src/sys/ZEUS i386 I have changed my root password a few weeks ago. I just removed the toor password (in vipw, I replaced the cypher with a "*"). My next step is to change the password of any account in the wheel group. I honestly think that someone had broken into this box and made some really creative cracks. I'm not sure about back doors at this point. Using chkrootkit doesn't show anything out of place. (An occasional "possible" LKM trojan report, but its not consistent and various people claim that apache can cause false positives on that test.) If ANY of the above rings some bells for you, please let me know. Any advice on securing this box would be appreciated, too. Unfortunately, formatting the drive and reinstalling the OS is not an option at this time. :( Feel free to pass this report along to FreeBSD report along to any FreeBSD power-user that can make the OS better by reading this. I'd be happy to provide assorted files off the system (including any of the "/boot"s that I still have) if they will help.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031229150646.R5733>