Upgrading/Installing when I cannot login

stream

Member

Reaction score: 5
Messages: 71

Hi,

I have 12+ running on my servers remotely, and wish to upgrade to 13.
I have a peculiar problem though. My system has been compromised by hacks who logged in as root via some backdoor unsecured interfaces to the server.
Now I cannot login as myself, it says /etc/login.conf is not owned as root.

I am able to do a single user login as root. I cannot change /etc/ it says read-only. I tried various things such as chflags noschg etc.. doesnt seem to work.
Also,when I try freebsd-fetch, it says
/var/db/freebsd-update not available.

So the standard methods don't seem to be working unfortunately. :(

Can you please help. How can I cleanup and upgrade my system
 

Alain De Vos

Daemon

Reaction score: 361
Messages: 1,349

When you boot in single user the root partition gets mounted as read-only.
Because people use this to perform fsck filesystem-check.
You can remount / in read-write using "mount -o rw /".
Then you will be able to edit any directory.
 

Zirias

Daemon

Reaction score: 1,323
Messages: 2,351

To elaborate on that: I don't necessarily mean the hardware ;)

But a system that was once compromised can never be trusted again, there are just too many ways to hide malicious code etc…

If you can and need, try to save important data. But then, erase the disk and do a fresh install.
 
OP
S

stream

Member

Reaction score: 5
Messages: 71

Thanks Alain, Zirias for the very quick responses.

Zirias- when you say fresh install- you mean from disk correct?
Which requires someone physically going to the site.

Any other alternative to do a fresh install remotely?
 

covacat

Well-Known Member

Reaction score: 139
Messages: 306

if you can access single user mode remotly you don't need to go there
 

Alain De Vos

Daemon

Reaction score: 361
Messages: 1,349

In single user mode you can tar cvfz and create a file of the directories you want to backup.
E.g. /boot , /usr/home , /etc/ , /usr/local/etc
 
OP
S

stream

Member

Reaction score: 5
Messages: 71

Yes, I have created backup of all these dir previously. Also have snapshots.

What is the best way to re-install and/or upgrade from single user mode.
Assuming that I get past the /var/db/freebsd-update problem, which hopefully can be solved by mountting again.
 

Zirias

Daemon

Reaction score: 1,323
Messages: 2,351

If this machine is housed at a hoster company, how did you install it initially? :-/
 

Zirias

Daemon

Reaction score: 1,323
Messages: 2,351

Ok then I guess the only sane way out of that is: drive there. I know that's a bummer, but again, I would never trust a system that was compromised at some point in time :rolleyes:
 

_martin

Daemon

Reaction score: 252
Messages: 1,026

stream Take Zirias's advice to heart: you never trust a compromised server. Restore to a known state or do a fresh install. And most importantly -- figure out the way they got in and secure that. Because if you don't they will get in again.

As you have more servers I'd keep one offline for analysis.
 

grahamperrin

Aspiring Daemon

Reaction score: 197
Messages: 715

When you boot in single user …

You can remount / in read-write using "mount -o rw /". …

… or mount -uw / (I can't recall what led me to this habit).

Another useful command for single user mode:

service zfs start

Any number of other services can be started in the same way (or with onestart) although honestly, with a non-compromised machine I sometimes find it easier to exit to multi-user mode, than to figure out the range of things that should/must be started before an operation is performed in single user mode.
 
OP
S

stream

Member

Reaction score: 5
Messages: 71

I can now login as myself. Would like to install fresh 13 version.
The last ditch is to install via thumb drive on-site.
Are there any other means to install the OS via internet?
 
OP
S

stream

Member

Reaction score: 5
Messages: 71

I tried that earlier. It failed- says No mirrors remaining, and that 12.1 is unsupported for freebsd-update.
 

covacat

Well-Known Member

Reaction score: 139
Messages: 306

i upgraded from 10.3 to 13 2 days ago
i needed to update to latest patch level of 10.3 before it worked
 

Alain De Vos

Daemon

Reaction score: 361
Messages: 1,349

So it works incremental. You must first go to the latest version of your current release before you can go to next release.
 

covacat

Well-Known Member

Reaction score: 139
Messages: 306

this was the error i got and the solution was to update to max of the same minor version

The update metadata is correctly signed, but failed an integrity check.​

 

Zirias

Daemon

Reaction score: 1,323
Messages: 2,351

Sorry for repeating myself, but: If you don't "wipe" the system, there's a risk. It was once compromised and there's no way to be sure what is left. Maybe, just maybe, you can do that from remote…
 
OP
S

stream

Member

Reaction score: 5
Messages: 71

Zirias- yes, I do want to wipe. but first I would like to try a few hacks myself.

I see there is a problem with my internet connection. I can ping sites, but cannot access them via browser.
my rc.conf has defaultrouter="...." and gateway_enable="YES".

Does the order matter?
 

covacat

Well-Known Member

Reaction score: 139
Messages: 306

Zirias- yes, I do want to wipe. but first I would like to try a few hacks myself.

I see there is a problem with my internet connection. I can ping sites, but cannot access them via browser.
my rc.conf has defaultrouter="...." and gateway_enable="YES".

Does the order matter?
it does not
you may have a broken proxy or some wrong fw rules
 
Top