freebsd-update IDS
Ben Morrow
ben at morrow.me.uk
Fri Jan 18 00:43:13 UTC 2013
Quoth Mark Felder <feld at feld.me>:
> On Thu, 17 Jan 2013 07:22:26 -0600, Alex Povolotsky
> <tarkhil at webmail.sub.ru> wrote:
>
> > It was a break-in. Some dumb php script running with user privileges
> > managed FreeBSD to hang on disk io up to stopping responding to anything
> > besides reset.
>
> Yikes! Make sure to run freebsd-update IDS to check the base OS's
> checksums and if you're using pkgng you can use "pkg check-s" to look for
> any tampered with files owned by packages.
Make sure you read the caveats in the freebsd-update manpage before
trusting the IDS result. At the very least you need to delete
/var/db/freebsd-update, /etc/freebsd-update.conf and
/usr/sbin/freebsd-update itself and replace them with known-good copies.
Ideally you should run the tests from an entirely separate known-good
instance of the OS, though in practice it's probably easier to just
replace the OS and packages from known-good sources and then set about
recovering and verifying the data. cf. the story about patching cc to
patch cc to patch login...
Ben
More information about the freebsd-stable
mailing list