freebsd stable - Dec 2003 - uname weirdness after kernel/OS update

I was previously running 4.9-PRERELEASE.  I used cvsup to download
new source code and compile the OS, as I've done many times over the years
that I've used FreeBSD.  Now, uname -a will show me 4.9-PRERELEASE and Aug
26, 2003 instead of 4.9-RELEASE or 4.9-STABLE and any of the December
dates that I've attempted to compile a new kernel.

	I've tried mv /usr/src /usr/src.old and a new cvsup.  I've tried
rm -rf /usr/obj/* (after the chflags command) and that didn't help. 
I've
even tried using /stand/sysinstall to install a new bin and crypto binary
set, then recompile the kernel.  Still no luck.

	Does anyone have any idea what is going on?

							Thanks in advance,
							Jaime

On Fri, 2003-12-26 at 12:05, jaime@snowmoon.com wrote:
> 	I was previously running 4.9-PRERELEASE.  I used cvsup to download
> new source code and compile the OS, as I've done many times over the
years
> that I've used FreeBSD.  Now, uname -a will show me 4.9-PRERELEASE and
Aug
> 26, 2003 instead of 4.9-RELEASE or 4.9-STABLE and any of the December
> dates that I've attempted to compile a new kernel.
At a guess, you put stuff in your supfile to hold the "src-all"
collection at the August version, possibly due to the instability from
the PAE changes that hit in August and were patched around then.  Check
your supfile.

-- 
brandon s. allbery    [linux,solaris,freebsd,perl]     allbery@kf8nh.com
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH

On Fri, 2003-12-26 at 12:21, jaime@snowmoon.com wrote:
> On Fri, 26 Dec 2003, Brandon S. Allbery KF8NH wrote:
> > Okay, so it was a bad guess.  :)  It would have been a date=... entry
on
> > the src-all line, IIRC.  There was some discussion of it on -stable
back
> > when the PAE bugs surfaced.
> 
> 	Are you refering to the bugs inbetween August 2 and 29?  These are
> the ones that caused me to try to update the OS in the first place.  :)
Yes, those bugs.  :)

-- 
brandon s. allbery    [linux,solaris,freebsd,perl]     allbery@kf8nh.com
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH

The following is my most recent email message to someone who was
helping me with a very odd uname issue.  I hope that this reporting of the
"final" events (oh-god-pleaselet-this-be-done-and-over-with) helps
someone
else some day.  The offer that I make at the end of my message is genuine.
If a FreeBSD expert (Greg?  *nudge*) wants the /boot files, they can have
them.

							Jaime

---------- Forwarded message ----------
Date: Mon, 29 Dec 2003 15:05:07 -0500 (EST)
From: jaime@snowmoon.com
To: T Kellers <kellers@njit.edu>
Subject: Re: compiled kernel file

	After lots of various ideas, including kernels compiled on
different boxes (e.g. the one that you sent) nothing seemed to work.
Then, I noticed that not everything in / was being listed when I typed
"ls" at the boot manager.

	This is when I started getting creative.  I used sysinstall's disk
slice editor to put a new MBR onto the drive and removed /boot.  The next
attempt to boot refused to mount any of my SCSI drives and it showed a few
files in / that were different than they should be.  For example, /proc
was missing, /homes (an older attempt to make home directories exist on
/homes/students and /homes/staff left this directory behind) was back --
even though I thought that I removed it -- and /home was gone, and the
most recent etc-*.tar.gz backup of /etc (which I made before the 12/23/03
cvsup) was missing.

	It was as if I suddenly took a trip backwards in time for this
partition by at least a few months.  My best guess is that someone had
hidden the real / partition and put their own partition (or disk image?)
in its place, using a compromised boot loader.  This would explain why
using "ls" at the boot loader produced a different list of files than
"ls"
at the single-user shell showed.  It also explains why new kernels
wouldn't load, making uname give "bad" results on a
"new" kernel.  It was
reporting data about the kernel that the cracker had given it!

	I again removed /boot, /usr/src, and /usr/obj, just in case these
were violated, too.  I did a new cvsup, make buildworld, make buildkernel,
make installkernel, and rebooted into single user mode.  The / partition
was the way I had left it, not the way it was when the symptoms were
noticed.  So I kept going and did a make installworld and a mergemaster
and then rebooted again.

	Everything seems to be working well now.  uname now says:

zeus:jkikpole>uname -a
FreeBSD zeus.cairodurham.org 4.9-STABLE FreeBSD 4.9-STABLE #0: Mon Dec 29
13:46:57 EST 2003     root@:/usr/obj/usr/src/sys/ZEUS  i386

	I have changed my root password a few weeks ago.  I just removed
the toor password (in vipw, I replaced the cypher with a "*").  My
next
step is to change the password of any account in the wheel group.

	I honestly think that someone had broken into this box and made
some really creative cracks.  I'm not sure about back doors at this point.
Using chkrootkit doesn't show anything out of place.  (An occasional
"possible" LKM trojan report, but its not consistent and various
people
claim that apache can cause false positives on that test.)

	If ANY of the above rings some bells for you, please let me know.
Any advice on securing this box would be appreciated, too.
Unfortunately, formatting the drive and reinstalling the OS is not an
option at this time.  :(  Feel free to pass this report along to FreeBSD
report along to any FreeBSD power-user that can make the OS better by
reading this.  I'd be happy to provide assorted files off the system
(including any of the "/boot"s that I still have) if they will help.