am I NOT hacked?
Dag-Erling Smørgrav
des at des.no
Sat Apr 26 11:15:17 UTC 2014
Joe Parsons <jp4314 at outlook.com> writes:
> I was slow to patch my multiple vms after that heartbleed disclosure.
> I just managed to upgrade these systems to 9.2, and installed the
> patched openssl, then started changing passwords for root and other
> shell users. [...]
If you were running 9.2 or older and had not installed OpenSSL from
ports, you were never vulnerable.
In any case, heartbleed does *not* facilitate remote code execution or
code injection, only information retrieval, so unless your passwords
were stored in cleartext (or a weakly hashed form) in the memory of an
Internet-facing SSL-enabled service (such as https, smtp with STARTTLS
or imaps, but not ssh), you cannot have been "hacked" as a consequence
of heartbleed.
Your passwd etc issues are consistent with out-of-sync {,s}pwd.mkdb
which can result from a botched mergemaster.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list