From owner-freebsd-security@FreeBSD.ORG Sat Apr 26 18:05:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A2E211D4 for ; Sat, 26 Apr 2014 18:05:35 +0000 (UTC) Received: from bay0-omc3-s10.bay0.hotmail.com (bay0-omc3-s10.bay0.hotmail.com [65.54.190.148]) by mx1.freebsd.org (Postfix) with ESMTP id 8B96213C0 for ; Sat, 26 Apr 2014 18:05:35 +0000 (UTC) Received: from BAY180-W61 ([65.54.190.187]) by bay0-omc3-s10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 26 Apr 2014 11:05:28 -0700 X-TMN: [klg0FHh/Rs7bb/HrfE9gK4A7axzTapw6] X-Originating-Email: [jp4314@outlook.com] Message-ID: From: Joe Parsons To: "freebsd-security@freebsd.org" Subject: RE: am I NOT hacked? Date: Sat, 26 Apr 2014 14:05:29 -0400 Importance: Normal In-Reply-To: References: , MIME-Version: 1.0 X-OriginalArrivalTime: 26 Apr 2014 18:05:28.0781 (UTC) FILETIME=[1B3B4FD0:01CF617A] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 18:05:35 -0000 Ok=2C thanks a lot for all your kind help. I learned the pwd_mkdb manpage = and the databases as you suggested. To clarify=2C I understand 9.1 kernel contains the non-vulnerable version o= f openssl library=2C hence mere apache/https is not vulnerable. However th= e vulnerable openssl port is installed for the mail software to provide ima= ps/pops/smtps services=2C so they are vulnerable. The following reply is what I'm confused: > In any case=2C heartbleed does *not* facilitate remote code execution or > code injection=2C only information retrieval=2C so unless your passwords > were stored in cleartext (or a weakly hashed form) in the memory of an > Internet-facing SSL-enabled service (such as https=2C smtp with STARTTLS > or imaps=2C but not ssh)=2C you cannot have been "hacked" as a consequenc= e > of heartbleed.I ssh into the system=2C and I /usr/bin/su to become root. = Do my shell passwords show up in in clear text in the memory briefly=2C so= the attacker could happen to harvest them? In another word=2C on a system= with the vulnerable openssl port=2C do we need to change the shell passwor= d for root and other users=2C if these passwords are ONLY used in ssh and /= usr/bin/su ? I googled and found few result=2C almost all are focused on changing user m= ail passwords and server certificates. Only found this page said they chan= ged server root password: http://digitalopera.com/geek-rants/what-were-doing-to-combat-heartbleed/ Thanks=2C Joe > From: bilbo@hobbiton.org > Date: Sat=2C 26 Apr 2014 12:02:05 -0500 > Subject: Re: am I NOT hacked? > To: jp4314@outlook.com > CC: freebsd-security@freebsd.org >=20 > Joe=2C >=20 > Just thinking about this practically=2C I don't think you were compromise= d. > It seems more like you goofed the upgrade in the same way on each VM. Als= o=2C > if I were attacking=2C I wouldn't leave such overt traces that one would > immediately notice. And if the attacker were goofing up that badly=2C he'= d > likely not do it the same way on every VM. Not that assuming anything abo= ut > an attacker's intelligence guarantees anything=2C but it does seem like a= n > odd thing to do. Not to mention other's comments about pre-10 not being > vulnerable=2C and local compromise requiring that your password or SSH ke= y > was read by a process serving SSL sockets. >=20 > If you decide it's likely your system was compromised while it was > vulnerable=2C shutting off the system is a priority to stop ongoing damag= es. > Then you have to mount its disks in a clean system so that whatever bad > stuff (bots=2C backdoors=2C etc) the attacker added don't just start agai= n at > reboot=2C and to be sure the attacker doesn't merely add backdoors back w= hile > you take them away. It's hard to be sure you fixed every single file that > was touched ...executables=2C dynamic libs=2C configs=2C and much more co= ntain > subtle ways to leave a back door=2C and one could even patch the kernel t= o > hide a malicious process in memory. Starting from a fresh install and > copying your data over is really the quickest and safest approach. Since > "restore your data" usually means home directories=2C be sure to check > everyone's .ssh/authorized_keys for unwanted entries before copying. >=20 > Try "man pwd_mkdb" for info on the password database=3B especially look u= nder > the "FILES" heading. It's a good subsystem to know more about anyway=2C a= nd > not complicated. It is perhaps easier to remember that using vipw to add = a > blank line will sync everything than to remember the cryptic "pwd_mkdb -p > /etc/master.passwd" command though. >=20 > Actually having a machine compromised is no fun=3B I've been there. I do = hope > that's not the case for you. >=20 > - Leif >=20 >=20 > On Sat=2C Apr 26=2C 2014 at 4:55 AM=2C Joe Parsons w= rote: >=20 > > I was slow to patch my multiple vms after that heartbleed disclosure. = I > > just managed to upgrade these systems to 9.2=2C and installed the patch= ed > > openssl=2C then started changing passwords for root and other shell use= rs. > > However I realized that=2C only the root password was changed. For ot= her > > users=2C even though the "passwd userid" issued no warning=2C and "echo= $?" is > > 0=2C the password is NOT changed. > > > > For more debugging=2C I tried to "adduser"=2C the command was successfu= l=2C and > > I can see the new entry "test" in /etc/passwd. However "finger test" > > complains no such user! Also=2C "rm test" complains there is no such u= ser to > > delete as well. > > > > Furthermore=2C the mail server got problem sending email=2C the log fil= e said > > there is no such user "postfix"=2C and sure enough: > > > > # finger postfix > > finger: postfix: no such user > > > > while this "postfix" user certainly existed for years=2C and I can see = see > > its entry in /etc/passwd. > > > > This appeared to all the multiple vms on multiple hosts=2C all running > > FreeBSD 9.2 now. > > > > I was paranoid=2C I really should have patched all these systems immedi= ately > > reading that heartbleed news=2C as all these servers had the vulnerable > > openssl port installed! > > > > Until googling and I found this: > > > > https://forums.freebsd.org/viewtopic.php?&t=3D29644 > > > > it said "The user accounts are actually stored in a database. It's > > possible it got out of sync with your [file]/etc/passwd[/file] file."= =2C and > > it suggested running "vipw" to fix it. > > > > I ran vipw=2C then saved=2C and quit. No joy. Then ran vipw again=2C = made a > > change=2C then undid the change=2C save again. Now "finger postfix" fo= und the > > user=2C and I can change user password now=2C and all the above problem > > disappeared. > > > > Am I right that=2C that I am NOT hacked? Is the above problem produced= by > > the freebsd-update process? Is this supposed to happen? I just follow= ed > > the handbook to update from 9.1-RELEASE to 9.2-RELEASE=2C never compile= d > > kernel or tweak. > > > > Thank you! Joe > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe=2C send any mail to "freebsd-security-unsubscribe@freebs= d.org > > " > > >=20 >=20 >=20 > --=20 >=20 > As implied by email protocols=2C the information in this message is > not confidential. Any middle-man or recipient may inspect=2C modify=2C > copy=2C forward=2C reply to=2C delete=2C or filter email for any purpose = unless > said parties are otherwise obligated. As the sender=2C I acknowledge tha= t > I have a lower expectation of the control and privacy of this message > than I would a post-card. Further=2C nothing in this message is > legally binding without cryptographic evidence of its integrity. >=20 > http://bilbo.hobbiton.org/wiki/Eat_My_Sig > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe=2C send any mail to "freebsd-security-unsubscribe@freebsd.= org" =