Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Apr 2014 14:05:29 -0400
From:      Joe Parsons <jp4314@outlook.com>
To:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   RE: am I NOT hacked?
Message-ID:  <BAY180-W6170BEC00A4018BBB261EFC4450@phx.gbl>
In-Reply-To: <CAK-wPOjM6oSuMc-ogzEPX62-Z8xNJWyKrHCJ=hUg1EwK%2BMAjCA@mail.gmail.com>
References:  <BAY180-W44C86C61CA8027AC418DD8C4450@phx.gbl>, <CAK-wPOjM6oSuMc-ogzEPX62-Z8xNJWyKrHCJ=hUg1EwK%2BMAjCA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ok=2C thanks a lot for all your kind help.  I learned the pwd_mkdb manpage =
and the databases as you suggested.

To clarify=2C I understand 9.1 kernel contains the non-vulnerable version o=
f openssl library=2C hence mere apache/https is not vulnerable.  However th=
e vulnerable openssl port is installed for the mail software to provide ima=
ps/pops/smtps services=2C so they are vulnerable.

The following reply is what I'm confused:
> In any case=2C heartbleed does *not* facilitate remote code execution or
> code injection=2C only information retrieval=2C so unless your passwords
> were stored in cleartext (or a weakly hashed form) in the memory of an
> Internet-facing SSL-enabled service (such as https=2C smtp with STARTTLS
> or imaps=2C but not ssh)=2C you cannot have been "hacked" as a consequenc=
e
> of heartbleed.I ssh into the system=2C and I /usr/bin/su to become root. =
 Do my shell passwords show up in in clear text in the memory briefly=2C so=
 the attacker could happen to harvest them?  In another word=2C on a system=
 with the vulnerable openssl port=2C do we need to change the shell passwor=
d for root and other users=2C if these passwords are ONLY used in ssh and /=
usr/bin/su ?

I googled and found few result=2C almost all are focused on changing user m=
ail passwords and server certificates.  Only found this page said they chan=
ged server root password:

http://digitalopera.com/geek-rants/what-were-doing-to-combat-heartbleed/

Thanks=2C Joe

> From: bilbo@hobbiton.org
> Date: Sat=2C 26 Apr 2014 12:02:05 -0500
> Subject: Re: am I NOT hacked?
> To: jp4314@outlook.com
> CC: freebsd-security@freebsd.org
>=20
> Joe=2C
>=20
> Just thinking about this practically=2C I don't think you were compromise=
d.
> It seems more like you goofed the upgrade in the same way on each VM. Als=
o=2C
> if I were attacking=2C I wouldn't leave such overt traces that one would
> immediately notice. And if the attacker were goofing up that badly=2C he'=
d
> likely not do it the same way on every VM. Not that assuming anything abo=
ut
> an attacker's intelligence guarantees anything=2C but it does seem like a=
n
> odd thing to do. Not to mention other's comments about pre-10 not being
> vulnerable=2C and local compromise requiring that your password or SSH ke=
y
> was read by a process serving SSL sockets.
>=20
> If you decide it's likely your system was compromised while it was
> vulnerable=2C shutting off the system is a priority to stop ongoing damag=
es.
> Then you have to mount its disks in a clean system so that whatever bad
> stuff (bots=2C backdoors=2C etc) the attacker added don't just start agai=
n at
> reboot=2C and to be sure the attacker doesn't merely add backdoors back w=
hile
> you take them away. It's hard to be sure you fixed every single file that
> was touched ...executables=2C dynamic libs=2C configs=2C and much more co=
ntain
> subtle ways to leave a back door=2C and one could even patch the kernel t=
o
> hide a malicious process in memory. Starting from a fresh install and
> copying your data over is really the quickest and safest approach. Since
> "restore your data" usually means home directories=2C be sure to check
> everyone's .ssh/authorized_keys for unwanted entries before copying.
>=20
> Try "man pwd_mkdb" for info on the password database=3B especially look u=
nder
> the "FILES" heading. It's a good subsystem to know more about anyway=2C a=
nd
> not complicated. It is perhaps easier to remember that using vipw to add =
a
> blank line will sync everything than to remember the cryptic "pwd_mkdb -p
> /etc/master.passwd" command though.
>=20
> Actually having a machine compromised is no fun=3B I've been there. I do =
hope
> that's not the case for you.
>=20
> - Leif
>=20
>=20
> On Sat=2C Apr 26=2C 2014 at 4:55 AM=2C Joe Parsons <jp4314@outlook.com> w=
rote:
>=20
> > I was slow to patch my multiple vms after that heartbleed disclosure.  =
I
> > just managed to upgrade these systems to 9.2=2C and installed the patch=
ed
> > openssl=2C then started changing passwords for root and other shell use=
rs.
> >  However I realized that=2C only the root password was changed.  For ot=
her
> > users=2C even though the "passwd userid" issued no warning=2C and "echo=
 $?" is
> > 0=2C the password is NOT changed.
> >
> > For more debugging=2C I tried to "adduser"=2C the command was successfu=
l=2C and
> > I can see the new entry "test" in /etc/passwd. However "finger test"
> > complains no such user!  Also=2C "rm test" complains there is no such u=
ser to
> > delete as well.
> >
> > Furthermore=2C the mail server got problem sending email=2C the log fil=
e said
> > there is no such user "postfix"=2C and sure enough:
> >
> > # finger postfix
> > finger: postfix: no such user
> >
> > while this "postfix" user certainly existed for years=2C and I can see =
see
> > its entry in /etc/passwd.
> >
> > This appeared to all the multiple vms on multiple hosts=2C all running
> > FreeBSD 9.2 now.
> >
> > I was paranoid=2C I really should have patched all these systems immedi=
ately
> > reading that heartbleed news=2C as all these servers had the vulnerable
> > openssl port installed!
> >
> > Until googling and I found this:
> >
> > https://forums.freebsd.org/viewtopic.php?&t=3D29644
> >
> > it said "The user accounts are actually stored in a database. It's
> > possible it got out of sync with your [file]/etc/passwd[/file] file."=
=2C and
> > it suggested running "vipw" to fix it.
> >
> > I ran vipw=2C then saved=2C and quit.  No joy.  Then ran vipw again=2C =
made a
> > change=2C then undid the change=2C save again.  Now "finger postfix" fo=
und the
> > user=2C and I can change user password now=2C and all the above problem
> > disappeared.
> >
> > Am I right that=2C that I am NOT hacked?  Is the above problem produced=
 by
> > the freebsd-update process?  Is this supposed to happen?  I just follow=
ed
> > the handbook to update from 9.1-RELEASE to 9.2-RELEASE=2C never compile=
d
> > kernel or tweak.
> >
> > Thank you!  Joe
> >
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe=2C send any mail to "freebsd-security-unsubscribe@freebs=
d.org
> > "
> >
>=20
>=20
>=20
> --=20
>=20
> As implied by email protocols=2C the information in this message is
> not confidential.  Any middle-man or recipient may inspect=2C modify=2C
> copy=2C forward=2C reply to=2C delete=2C or filter email for any purpose =
unless
> said parties are otherwise obligated.  As the sender=2C I acknowledge tha=
t
> I have a lower expectation of the control and privacy of this message
> than I would a post-card.  Further=2C nothing in this message is
> legally binding without cryptographic evidence of its integrity.
>=20
> http://bilbo.hobbiton.org/wiki/Eat_My_Sig
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe=2C send any mail to "freebsd-security-unsubscribe@freebsd.=
org"
 		 	   		  =



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY180-W6170BEC00A4018BBB261EFC4450>