From owner-freebsd-security@FreeBSD.ORG  Sat Apr 26 11:15:17 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id BB6599FC
 for <freebsd-security@freebsd.org>; Sat, 26 Apr 2014 11:15:17 +0000 (UTC)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 7DEF910B1
 for <freebsd-security@freebsd.org>; Sat, 26 Apr 2014 11:15:17 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id 7AD046390;
 Sat, 26 Apr 2014 11:15:16 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 03AE5316E5; Sat, 26 Apr 2014 13:15:18 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Joe Parsons <jp4314@outlook.com>
Subject: Re: am I NOT hacked?
References: <BAY180-W44C86C61CA8027AC418DD8C4450@phx.gbl>
Date: Sat, 26 Apr 2014 13:15:18 +0200
In-Reply-To: <BAY180-W44C86C61CA8027AC418DD8C4450@phx.gbl> (Joe Parsons's
 message of "Sat, 26 Apr 2014 05:55:28 -0400")
Message-ID: <86tx9gl4u1.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2014 11:15:17 -0000

Joe Parsons <jp4314@outlook.com> writes:
> I was slow to patch my multiple vms after that heartbleed disclosure.
> I just managed to upgrade these systems to 9.2, and installed the
> patched openssl, then started changing passwords for root and other
> shell users.  [...]

If you were running 9.2 or older and had not installed OpenSSL from
ports, you were never vulnerable.

In any case, heartbleed does *not* facilitate remote code execution or
code injection, only information retrieval, so unless your passwords
were stored in cleartext (or a weakly hashed form) in the memory of an
Internet-facing SSL-enabled service (such as https, smtp with STARTTLS
or imaps, but not ssh), you cannot have been "hacked" as a consequence
of heartbleed.

Your passwd etc issues are consistent with out-of-sync {,s}pwd.mkdb
which can result from a botched mergemaster.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no