The following is my most recent email message to someone who was
helping me with a very odd uname issue. I hope that this reporting of the
"final" events (oh-god-pleaselet-this-be-done-and-over-with) helps
someone
else some day. The offer that I make at the end of my message is genuine.
If a FreeBSD expert (Greg? *nudge*) wants the /boot files, they can have
them.
Jaime
---------- Forwarded message ----------
Date: Mon, 29 Dec 2003 15:05:07 -0500 (EST)
From: jaime@snowmoon.com
To: T Kellers <kellers@njit.edu>
Subject: Re: compiled kernel file
After lots of various ideas, including kernels compiled on
different boxes (e.g. the one that you sent) nothing seemed to work.
Then, I noticed that not everything in / was being listed when I typed
"ls" at the boot manager.
This is when I started getting creative. I used sysinstall's disk
slice editor to put a new MBR onto the drive and removed /boot. The next
attempt to boot refused to mount any of my SCSI drives and it showed a few
files in / that were different than they should be. For example, /proc
was missing, /homes (an older attempt to make home directories exist on
/homes/students and /homes/staff left this directory behind) was back --
even though I thought that I removed it -- and /home was gone, and the
most recent etc-*.tar.gz backup of /etc (which I made before the 12/23/03
cvsup) was missing.
It was as if I suddenly took a trip backwards in time for this
partition by at least a few months. My best guess is that someone had
hidden the real / partition and put their own partition (or disk image?)
in its place, using a compromised boot loader. This would explain why
using "ls" at the boot loader produced a different list of files than
"ls"
at the single-user shell showed. It also explains why new kernels
wouldn't load, making uname give "bad" results on a
"new" kernel. It was
reporting data about the kernel that the cracker had given it!
I again removed /boot, /usr/src, and /usr/obj, just in case these
were violated, too. I did a new cvsup, make buildworld, make buildkernel,
make installkernel, and rebooted into single user mode. The / partition
was the way I had left it, not the way it was when the symptoms were
noticed. So I kept going and did a make installworld and a mergemaster
and then rebooted again.
Everything seems to be working well now. uname now says:
zeus:jkikpole>uname -a
FreeBSD zeus.cairodurham.org 4.9-STABLE FreeBSD 4.9-STABLE #0: Mon Dec 29
13:46:57 EST 2003 root@:/usr/obj/usr/src/sys/ZEUS i386
I have changed my root password a few weeks ago. I just removed
the toor password (in vipw, I replaced the cypher with a "*"). My
next
step is to change the password of any account in the wheel group.
I honestly think that someone had broken into this box and made
some really creative cracks. I'm not sure about back doors at this point.
Using chkrootkit doesn't show anything out of place. (An occasional
"possible" LKM trojan report, but its not consistent and various
people
claim that apache can cause false positives on that test.)
If ANY of the above rings some bells for you, please let me know.
Any advice on securing this box would be appreciated, too.
Unfortunately, formatting the drive and reinstalling the OS is not an
option at this time. :( Feel free to pass this report along to FreeBSD
report along to any FreeBSD power-user that can make the OS better by
reading this. I'd be happy to provide assorted files off the system
(including any of the "/boot"s that I still have) if they will help.