am I NOT hacked?

Sat Apr 26 10:23:58 UTC 2014

Excuse me but there is nothing about the information you have provided that could or would suggest that you have or have not been hacked. There is not a way from the very little information that you have provided to diagnose that and doesn't seem that you have covered all the avenues possible to even detect an unwanted change in your systems.

For the least part yes FreeBSD does store the passwd info in a database. You could have skipped running vipw(8) and just run pw_mkdb /etc/master.passwd to resolve that problem. Its common knowledge.

To solve the hacked or not hacked problem you should take the steps to create a new clean system and migrate your data but j doubt this list is a justified medium to discuss all the possible avenues that you would have to cover on a possibly compromised system.

Clean fresh system and start from there.

Good luck 

-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

> On Apr 26, 2014, at 5:55, Joe Parsons <jp4314 at outlook.com> wrote:
> 
> I was slow to patch my multiple vms after that heartbleed disclosure.  I just managed to upgrade these systems to 9.2, and installed the patched openssl, then started changing passwords for root and other shell users.  However I realized that, only the root password was changed.  For other users, even though the "passwd userid" issued no warning, and "echo $?" is 0, the password is NOT changed.
> 
> For more debugging, I tried to "adduser", the command was successful, and I can see the new entry "test" in /etc/passwd. However "finger test" complains no such user!  Also, "rm test" complains there is no such user to delete as well.
> 
> Furthermore, the mail server got problem sending email, the log file said there is no such user "postfix", and sure enough:
> 
> # finger postfix
> finger: postfix: no such user
> 
> while this "postfix" user certainly existed for years, and I can see see its entry in /etc/passwd.
> 
> This appeared to all the multiple vms on multiple hosts, all running FreeBSD 9.2 now.
> 
> I was paranoid, I really should have patched all these systems immediately reading that heartbleed news, as all these servers had the vulnerable openssl port installed!
> 
> Until googling and I found this: 
> 
> https://forums.freebsd.org/viewtopic.php?&t=29644
> 
> it said "The user accounts are actually stored in a database. It's possible it got out of sync with your [file]/etc/passwd[/file] file.", and it suggested running "vipw" to fix it.
> 
> I ran vipw, then saved, and quit.  No joy.  Then ran vipw again, made a change, then undid the change, save again.  Now "finger postfix" found the user, and I can change user password now, and all the above problem disappeared.
> 
> Am I right that, that I am NOT hacked?  Is the above problem produced by the freebsd-update process?  Is this supposed to happen?  I just followed the handbook to update from 9.1-RELEASE to 9.2-RELEASE, never compiled kernel or tweak.
> 
> Thank you!  Joe
>                         
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140426/eea9dc27/attachment-0001.bin>