Date: Sat, 27 Feb 2021 18:13:45 -0600 From: "J. Hellenthal" <jhellenthal@dataix.net> To: Gareth de Vaux <security@lordcow.org> Cc: FreeBSD-security@freebsd.org Subject: Re: user account disappeared Message-ID: <1350C470-7B80-4B75-AFF2-0D903D9D7AE7@dataix.net> In-Reply-To: <YDq4LEPA/1YaZg02@lordcow.org> References: <YDq4LEPA/1YaZg02@lordcow.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Also=20 ls -l /etc/*pass* Should show you those. Appears you=E2=80=99ve missed them. --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Feb 27, 2021, at 15:23, Gareth de Vaux <security@lordcow.org> wrote: >=20 > =EF=BB=BFHi all, one of my users in a jail has mysteriously half disappear= ed. I've renamed the user to 'lostuser', the password hash, and the process i= t's running to protect privacy below: >=20 > I suddenly can't log in over ssh: >=20 > sshd[22485]: Invalid user lostuser from XYZ >=20 > # su - lostuser > su: unknown login: lostuser >=20 > # ls -ld /home/lostuser > drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser >=20 > $HOME still exists but only showing the userid. >=20 > # egrep "1012|lostuser" /etc/passwd > lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash >=20 > # egrep "1012|lostuser" /etc/master.passwd=20 > lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/ba= sh >=20 > Entries are still in /etc/*passwd ? >=20 > # ls -l /etc/*passwd /etc/group > -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group > -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd > -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd >=20 > This process is still running, which is a network server which is still fu= nctioning: >=20 > # ps aux | grep lostuser > 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /usr= /local/bin/python3.6 /home/lostuser/xyz >=20 > also obviously showing the userid and not the username. >=20 >=20 > # grep lostuser /var/log/auth.log > ... > Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz > Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser > Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz > Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser > Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz > Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser > Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz > Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostuse= r xyz >=20 > 23 Jan 2021 was the last successful login, and later that day /etc/*passwd= was touched due to me changing the > password of a different user, confirmed as the only change from diff'ing a= gainst backups. >=20 > Last buildworld upgrade on 3 Nov 2020 (host and jail): >=20 > $ uname -a > FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue No= v 3 12:11:29 SAST 2020 root@lordcow.org:/usr/obj/usr/src/sys/GENERIC a= md64 >=20 > The last ports upgrade was 13 Feb 2021, before that I'm not sure. >=20 > The last entry in /var/log/userlog was 23 Jul 2020, and: >=20 > # ls -l /var/log/userlog=20 > -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog >=20 >=20 > ie. timeline: >=20 > 23 Jul 2020 Last userlog change > 3 Nov 2020 buildkernel/buildworld and reboot > 3 Dec 2020 lostuser network server process spawned and still functioning > 23 Jan 2021 Last successful login to lostuser > 23 Jan 2021 Unrelated user's password intentionally changed with passwd > 13 Feb 2021 ports upgrade > 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /= etc/*passwd and a process running >=20 > Any ideas? > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1350C470-7B80-4B75-AFF2-0D903D9D7AE7>