I was slow to patch my multiple vms after that heartbleed disclosure. I just managed to upgrade these systems to 9.2, and installed the patched openssl, then started changing passwords for root and other shell users. However I realized that, only the root password was changed. For other users, even though the "passwd userid" issued no warning, and "echo $?" is 0, the password is NOT changed. For more debugging, I tried to "adduser", the command was successful, and I can see the new entry "test" in /etc/passwd. However "finger test" complains no such user! Also, "rm test" complains there is no such user to delete as well. Furthermore, the mail server got problem sending email, the log file said there is no such user "postfix", and sure enough: # finger postfix finger: postfix: no such user while this "postfix" user certainly existed for years, and I can see see its entry in /etc/passwd. This appeared to all the multiple vms on multiple hosts, all running FreeBSD 9.2 now. I was paranoid, I really should have patched all these systems immediately reading that heartbleed news, as all these servers had the vulnerable openssl port installed! Until googling and I found this: https://forums.freebsd.org/viewtopic.php?&t=29644 it said "The user accounts are actually stored in a database. It's possible it got out of sync with your [file]/etc/passwd[/file] file.", and it suggested running "vipw" to fix it. I ran vipw, then saved, and quit. No joy. Then ran vipw again, made a change, then undid the change, save again. Now "finger postfix" found the user, and I can change user password now, and all the above problem disappeared. Am I right that, that I am NOT hacked? Is the above problem produced by the freebsd-update process? Is this supposed to happen? I just followed the handbook to update from 9.1-RELEASE to 9.2-RELEASE, never compiled kernel or tweak. Thank you! Joe
Excuse me but there is nothing about the information you have provided that could or would suggest that you have or have not been hacked. There is not a way from the very little information that you have provided to diagnose that and doesn't seem that you have covered all the avenues possible to even detect an unwanted change in your systems. For the least part yes FreeBSD does store the passwd info in a database. You could have skipped running vipw(8) and just run pw_mkdb /etc/master.passwd to resolve that problem. Its common knowledge. To solve the hacked or not hacked problem you should take the steps to create a new clean system and migrate your data but j doubt this list is a justified medium to discuss all the possible avenues that you would have to cover on a possibly compromised system. Clean fresh system and start from there. Good luck -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN> On Apr 26, 2014, at 5:55, Joe Parsons <jp4314 at outlook.com> wrote: > > I was slow to patch my multiple vms after that heartbleed disclosure. I just managed to upgrade these systems to 9.2, and installed the patched openssl, then started changing passwords for root and other shell users. However I realized that, only the root password was changed. For other users, even though the "passwd userid" issued no warning, and "echo $?" is 0, the password is NOT changed. > > For more debugging, I tried to "adduser", the command was successful, and I can see the new entry "test" in /etc/passwd. However "finger test" complains no such user! Also, "rm test" complains there is no such user to delete as well. > > Furthermore, the mail server got problem sending email, the log file said there is no such user "postfix", and sure enough: > > # finger postfix > finger: postfix: no such user > > while this "postfix" user certainly existed for years, and I can see see its entry in /etc/passwd. > > This appeared to all the multiple vms on multiple hosts, all running FreeBSD 9.2 now. > > I was paranoid, I really should have patched all these systems immediately reading that heartbleed news, as all these servers had the vulnerable openssl port installed! > > Until googling and I found this: > > https://forums.freebsd.org/viewtopic.php?&t=29644 > > it said "The user accounts are actually stored in a database. It's possible it got out of sync with your [file]/etc/passwd[/file] file.", and it suggested running "vipw" to fix it. > > I ran vipw, then saved, and quit. No joy. Then ran vipw again, made a change, then undid the change, save again. Now "finger postfix" found the user, and I can change user password now, and all the above problem disappeared. > > Am I right that, that I am NOT hacked? Is the above problem produced by the freebsd-update process? Is this supposed to happen? I just followed the handbook to update from 9.1-RELEASE to 9.2-RELEASE, never compiled kernel or tweak. > > Thank you! Joe > > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6118 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140426/eea9dc27/attachment-0001.bin>
On 26 Apr 2014, at 11:55, Joe Parsons <jp4314 at outlook.com> wrote:> I was slow to patch my multiple vms after that heartbleed disclosure. I just managed to upgrade these systems to 9.2, and installed the patched openssl,FreeBSD 9.x was never vulnerable to Heartbleed, as you can read in the security advisory (FreeBSD-SA-14:06.openssl). This is because it still has OpenSSL 0.9.8, and the feature that contains the Heartbleed problem was only implemented after OpenSSL 1.0. That said, the advisory also contained another OpenSSL security problem, CVE-2014-0076, but that was apparently found less earth-shattering than Heartbleed. So it is still a good idea to patch up your server(s) and check for irregularities. -Dimitry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140426/7288f046/attachment.sig>
Joe Parsons <jp4314 at outlook.com> writes:> I was slow to patch my multiple vms after that heartbleed disclosure. > I just managed to upgrade these systems to 9.2, and installed the > patched openssl, then started changing passwords for root and other > shell users. [...]If you were running 9.2 or older and had not installed OpenSSL from ports, you were never vulnerable. In any case, heartbleed does *not* facilitate remote code execution or code injection, only information retrieval, so unless your passwords were stored in cleartext (or a weakly hashed form) in the memory of an Internet-facing SSL-enabled service (such as https, smtp with STARTTLS or imaps, but not ssh), you cannot have been "hacked" as a consequence of heartbleed. Your passwd etc issues are consistent with out-of-sync {,s}pwd.mkdb which can result from a botched mergemaster. DES -- Dag-Erling Sm?rgrav - des at des.no
Joe, Just thinking about this practically, I don't think you were compromised. It seems more like you goofed the upgrade in the same way on each VM. Also, if I were attacking, I wouldn't leave such overt traces that one would immediately notice. And if the attacker were goofing up that badly, he'd likely not do it the same way on every VM. Not that assuming anything about an attacker's intelligence guarantees anything, but it does seem like an odd thing to do. Not to mention other's comments about pre-10 not being vulnerable, and local compromise requiring that your password or SSH key was read by a process serving SSL sockets. If you decide it's likely your system was compromised while it was vulnerable, shutting off the system is a priority to stop ongoing damages. Then you have to mount its disks in a clean system so that whatever bad stuff (bots, backdoors, etc) the attacker added don't just start again at reboot, and to be sure the attacker doesn't merely add backdoors back while you take them away. It's hard to be sure you fixed every single file that was touched ...executables, dynamic libs, configs, and much more contain subtle ways to leave a back door, and one could even patch the kernel to hide a malicious process in memory. Starting from a fresh install and copying your data over is really the quickest and safest approach. Since "restore your data" usually means home directories, be sure to check everyone's .ssh/authorized_keys for unwanted entries before copying. Try "man pwd_mkdb" for info on the password database; especially look under the "FILES" heading. It's a good subsystem to know more about anyway, and not complicated. It is perhaps easier to remember that using vipw to add a blank line will sync everything than to remember the cryptic "pwd_mkdb -p /etc/master.passwd" command though. Actually having a machine compromised is no fun; I've been there. I do hope that's not the case for you. - Leif On Sat, Apr 26, 2014 at 4:55 AM, Joe Parsons <jp4314 at outlook.com> wrote:> I was slow to patch my multiple vms after that heartbleed disclosure. I > just managed to upgrade these systems to 9.2, and installed the patched > openssl, then started changing passwords for root and other shell users. > However I realized that, only the root password was changed. For other > users, even though the "passwd userid" issued no warning, and "echo $?" is > 0, the password is NOT changed. > > For more debugging, I tried to "adduser", the command was successful, and > I can see the new entry "test" in /etc/passwd. However "finger test" > complains no such user! Also, "rm test" complains there is no such user to > delete as well. > > Furthermore, the mail server got problem sending email, the log file said > there is no such user "postfix", and sure enough: > > # finger postfix > finger: postfix: no such user > > while this "postfix" user certainly existed for years, and I can see see > its entry in /etc/passwd. > > This appeared to all the multiple vms on multiple hosts, all running > FreeBSD 9.2 now. > > I was paranoid, I really should have patched all these systems immediately > reading that heartbleed news, as all these servers had the vulnerable > openssl port installed! > > Until googling and I found this: > > https://forums.freebsd.org/viewtopic.php?&t=29644 > > it said "The user accounts are actually stored in a database. It's > possible it got out of sync with your [file]/etc/passwd[/file] file.", and > it suggested running "vipw" to fix it. > > I ran vipw, then saved, and quit. No joy. Then ran vipw again, made a > change, then undid the change, save again. Now "finger postfix" found the > user, and I can change user password now, and all the above problem > disappeared. > > Am I right that, that I am NOT hacked? Is the above problem produced by > the freebsd-update process? Is this supposed to happen? I just followed > the handbook to update from 9.1-RELEASE to 9.2-RELEASE, never compiled > kernel or tweak. > > Thank you! Joe > > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org > " >-- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig