From owner-freebsd-questions@FreeBSD.ORG Mon Dec 29 12:09:37 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE98E16A4CE for ; Mon, 29 Dec 2003 12:09:36 -0800 (PST) Received: from malkav.snowmoon.com (malkav.snowmoon.com [209.23.60.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84A5543D1D for ; Mon, 29 Dec 2003 12:09:19 -0800 (PST) (envelope-from jaime@snowmoon.com) Received: from localhost (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by malkav.snowmoon.com (Postfix) with ESMTP id 834411129A for ; Mon, 29 Dec 2003 15:09:18 -0500 (EST) Date: Mon, 29 Dec 2003 15:09:17 -0500 (EST) From: Jaime To: freebsd-questions@freebsd.org Message-ID: <20031229150646.R5733@malkav.snowmoon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: uname weirdness after kernel/OS update X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 20:09:37 -0000 The following is my most recent email message to someone who was helping me with a very odd uname issue. I hope that this reporting of the "final" events (oh-god-pleaselet-this-be-done-and-over-with) helps someone else some day. The offer that I make at the end of my message is genuine. If a FreeBSD expert (Greg? *nudge*) wants the /boot files, they can have them. Jaime ---------- Forwarded message ---------- Date: Mon, 29 Dec 2003 15:05:07 -0500 (EST) From: jaime@snowmoon.com To: T Kellers Subject: Re: compiled kernel file After lots of various ideas, including kernels compiled on different boxes (e.g. the one that you sent) nothing seemed to work. Then, I noticed that not everything in / was being listed when I typed "ls" at the boot manager. This is when I started getting creative. I used sysinstall's disk slice editor to put a new MBR onto the drive and removed /boot. The next attempt to boot refused to mount any of my SCSI drives and it showed a few files in / that were different than they should be. For example, /proc was missing, /homes (an older attempt to make home directories exist on /homes/students and /homes/staff left this directory behind) was back -- even though I thought that I removed it -- and /home was gone, and the most recent etc-*.tar.gz backup of /etc (which I made before the 12/23/03 cvsup) was missing. It was as if I suddenly took a trip backwards in time for this partition by at least a few months. My best guess is that someone had hidden the real / partition and put their own partition (or disk image?) in its place, using a compromised boot loader. This would explain why using "ls" at the boot loader produced a different list of files than "ls" at the single-user shell showed. It also explains why new kernels wouldn't load, making uname give "bad" results on a "new" kernel. It was reporting data about the kernel that the cracker had given it! I again removed /boot, /usr/src, and /usr/obj, just in case these were violated, too. I did a new cvsup, make buildworld, make buildkernel, make installkernel, and rebooted into single user mode. The / partition was the way I had left it, not the way it was when the symptoms were noticed. So I kept going and did a make installworld and a mergemaster and then rebooted again. Everything seems to be working well now. uname now says: zeus:jkikpole>uname -a FreeBSD zeus.cairodurham.org 4.9-STABLE FreeBSD 4.9-STABLE #0: Mon Dec 29 13:46:57 EST 2003 root@:/usr/obj/usr/src/sys/ZEUS i386 I have changed my root password a few weeks ago. I just removed the toor password (in vipw, I replaced the cypher with a "*"). My next step is to change the password of any account in the wheel group. I honestly think that someone had broken into this box and made some really creative cracks. I'm not sure about back doors at this point. Using chkrootkit doesn't show anything out of place. (An occasional "possible" LKM trojan report, but its not consistent and various people claim that apache can cause false positives on that test.) If ANY of the above rings some bells for you, please let me know. Any advice on securing this box would be appreciated, too. Unfortunately, formatting the drive and reinstalling the OS is not an option at this time. :( Feel free to pass this report along to FreeBSD report along to any FreeBSD power-user that can make the OS better by reading this. I'd be happy to provide assorted files off the system (including any of the "/boot"s that I still have) if they will help.