Re: uname weirdness after kernel/OS update

From: Jaime (jaime_at_snowmoon.com)
Date: 12/29/03

  • Next message: Hideki Yamamoto: "Re: bge drivers does not work for 3COM 3C996-SX / 3C996B-T" 
    Date: Mon, 29 Dec 2003 15:10:09 -0500 (EST)
To: freebsd-stable@freebsd.org

            The following is my most recent email message to someone who was
    helping me with a very odd uname issue. I hope that this reporting of the
    "final" events (oh-god-pleaselet-this-be-done-and-over-with) helps someone
    else some day. The offer that I make at the end of my message is genuine.
    If a FreeBSD expert (Greg? *nudge*) wants the /boot files, they can have
    them.

                                                            Jaime

    ---------- Forwarded message ----------
    Date: Mon, 29 Dec 2003 15:05:07 -0500 (EST)
    From: jaime@snowmoon.com
    To: T Kellers <kellers@njit.edu>
    Subject: Re: compiled kernel file

            After lots of various ideas, including kernels compiled on
    different boxes (e.g. the one that you sent) nothing seemed to work.
    Then, I noticed that not everything in / was being listed when I typed
    "ls" at the boot manager.

            This is when I started getting creative. I used sysinstall's disk
    slice editor to put a new MBR onto the drive and removed /boot. The next
    attempt to boot refused to mount any of my SCSI drives and it showed a few
    files in / that were different than they should be. For example, /proc
    was missing, /homes (an older attempt to make home directories exist on
    /homes/students and /homes/staff left this directory behind) was back --
    even though I thought that I removed it -- and /home was gone, and the
    most recent etc-*.tar.gz backup of /etc (which I made before the 12/23/03
    cvsup) was missing.

            It was as if I suddenly took a trip backwards in time for this
    partition by at least a few months. My best guess is that someone had
    hidden the real / partition and put their own partition (or disk image?)
    in its place, using a compromised boot loader. This would explain why
    using "ls" at the boot loader produced a different list of files than "ls"
    at the single-user shell showed. It also explains why new kernels
    wouldn't load, making uname give "bad" results on a "new" kernel. It was
    reporting data about the kernel that the cracker had given it!

            I again removed /boot, /usr/src, and /usr/obj, just in case these
    were violated, too. I did a new cvsup, make buildworld, make buildkernel,
    make installkernel, and rebooted into single user mode. The / partition
    was the way I had left it, not the way it was when the symptoms were
    noticed. So I kept going and did a make installworld and a mergemaster
    and then rebooted again.

            Everything seems to be working well now. uname now says:

    zeus:jkikpole>uname -a
    FreeBSD zeus.cairodurham.org 4.9-STABLE FreeBSD 4.9-STABLE #0: Mon Dec 29
    13:46:57 EST 2003 root@:/usr/obj/usr/src/sys/ZEUS i386

            I have changed my root password a few weeks ago. I just removed
    the toor password (in vipw, I replaced the cypher with a "*"). My next
    step is to change the password of any account in the wheel group.

            I honestly think that someone had broken into this box and made
    some really creative cracks. I'm not sure about back doors at this point.
    Using chkrootkit doesn't show anything out of place. (An occasional
    "possible" LKM trojan report, but its not consistent and various people
    claim that apache can cause false positives on that test.)

            If ANY of the above rings some bells for you, please let me know.
    Any advice on securing this box would be appreciated, too.
    Unfortunately, formatting the drive and reinstalling the OS is not an
    option at this time. :( Feel free to pass this report along to FreeBSD
    report along to any FreeBSD power-user that can make the OS better by
    reading this. I'd be happy to provide assorted files off the system
    (including any of the "/boot"s that I still have) if they will help.
    _______________________________________________
    freebsd-stable@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-stable
    To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

  • Next message: Hideki Yamamoto: "Re: bge drivers does not work for 3COM 3C996-SX / 3C996B-T"

    Relevant Pages

    • Re: Linux cuts costs - users
      ... Upgrading to a newer kernel made it even ... > Solaris to understand the problem on Linux. ... Assuming you didn't report it, people like you are causing and/or ... at midnight, turned off the swap partition, then turned the partition ...
      (comp.unix.solaris)
    • Re: uname weirdness after kernel/OS update
      ... partition by at least a few months. ... using a compromised boot loader. ... making uname give "bad" results on a "new" kernel. ... :(Feel free to pass this report along to FreeBSD ...
      (freebsd-questions)
    • Re: [SLE] Partition Magic vs. Linux partitioner
      ... update that corrects the partition table such that parted ... does not report a partition table error. ... Parted does report the following message... ... the drive in the BIOS to LBA rather then AUTO as was ...
      (SuSE)
    • Re: Boot problems
      ... Limitations of the FAT32 File System in Windows XP ... Partition: 1 ... Here is the error checking report: ... I also don't quite understand chkdsk and hope you will be ...
      (microsoft.public.windowsxp.basics)
    • UFS no space left on device messages
      ... I ran across one of these 'disk full' messages on a UFS partition that had ... free inodes and free space as reported by 'df'. ... report a 'file system full'. ... The folder is used to write some checkpoint/request/out files (this is part ...
      (SunManagers)