I think after upgrading to 14.0, I have this weird behavior where
/usr/loca/www is a ZFS pool on a geli-encrypted partition. Note between changes, inode and ctime remain unchanged!
What's more, I renamed these (
I checked what processes or jails could have access to this file, but couldn't find any obvious ones. Only subdirs of /usr/loca/www are mounted inside jails. The file is served by nginx then haproxy.
At this point I have 2 hypotheses:
index.html
, originally a normal HTML file, is rendered with (seemingly random) binary data:
sh:
# cp -a /tmp/some/backup/index.html /usr/local/www/
# md5sum /usr/local/www/index.html
7be9d7c91bab0691478e105902317a86 /usr/local/www/foudil.fr/index.html
# xxd index.html
00000000: 3c21 444f 4354 5950 4520 6874 6d6c 3e0a <!DOCTYPE html>.
00000010: 3c68 746d 6c3e 0a20 3c68 6561 643e 0a20 <html>. <head>.
# stat -x index.html
File: "index.html"
Size: 757 FileType: Regular File
Mode: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 80/ www)
Device: 18446744072768100063,1174405355 Inode: 296400 Links: 1
Access: Thu Dec 14 00:55:57 2023
Modify: Thu Dec 14 02:30:58 2023
Change: Thu Dec 14 02:30:58 2023
Birth: Thu Dec 14 00:55:57 2023
[…some minutes or hours later…]
# md5sum index.html
6cda6db21ce4ac5de8e13613dac19e5bd index.html
# stat -x index.html
File: "index.html"
Size: 757 FileType: Regular File
Mode: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 80/ www)
Device: 18446744072768100063,1174405355 Inode: 296400 Links: 1
Access: Thu Dec 14 00:55:57 2023
Modify: Thu Dec 14 02:30:58 2023
Change: Thu Dec 14 02:30:58 2023
Birth: Thu Dec 14 00:55:57 2023
foudil has logged on pts/3 from tmux(4535).
foudil has logged on pts/4 from tmux(4535).
[…some more minutes or hours later…]
# md5sum index.html
64cb6596b5433b111b15932200b54ad8 index.html
# xxd index.html
00000000: 85d5 d597 8523 b5d9 2a9b 27df 142c a777 .....#..*.'..,.w
00000010: 5353 a99d 21a3 da7a 3159 e464 0739 4b6a SS..!..z1Y.d.9Kj
[…]
/usr/loca/www is a ZFS pool on a geli-encrypted partition. Note between changes, inode and ctime remain unchanged!
What's more, I renamed these (
index.html1
, index.html2
, etc.), and after some time, or after a reboot, they are again rendered as the original HTML file. I.e. md5 = 7be9d7c91bab0691478e105902317a86I checked what processes or jails could have access to this file, but couldn't find any obvious ones. Only subdirs of /usr/loca/www are mounted inside jails. The file is served by nginx then haproxy.
At this point I have 2 hypotheses:
- I've been hacked and the hacker is playing with my nerves.
- this might somehow be related to recent ZFS bugs