Upgrading/Installing when I cannot login

Hi,

I have 12+ running on my servers remotely, and wish to upgrade to 13.
I have a peculiar problem though. My system has been compromised by hacks who logged in as root via some backdoor unsecured interfaces to the server.
Now I cannot login as myself, it says /etc/login.conf is not owned as root.

I am able to do a single user login as root. I cannot change /etc/ it says read-only. I tried various things such as chflags noschg etc.. doesnt seem to work.
Also,when I try freebsd-fetch, it says
/var/db/freebsd-update not available.

So the standard methods don't seem to be working unfortunately. :(

Can you please help. How can I cleanup and upgrade my system
 
When you boot in single user the root partition gets mounted as read-only.
Because people use this to perform fsck filesystem-check.
You can remount / in read-write using "mount -o rw /".
Then you will be able to edit any directory.
 
To elaborate on that: I don't necessarily mean the hardware ;)

But a system that was once compromised can never be trusted again, there are just too many ways to hide malicious code etc…

If you can and need, try to save important data. But then, erase the disk and do a fresh install.
 
Thanks Alain, Zirias for the very quick responses.

Zirias- when you say fresh install- you mean from disk correct?
Which requires someone physically going to the site.

Any other alternative to do a fresh install remotely?
 
Yes, I have created backup of all these dir previously. Also have snapshots.

What is the best way to re-install and/or upgrade from single user mode.
Assuming that I get past the /var/db/freebsd-update problem, which hopefully can be solved by mountting again.
 
Ok then I guess the only sane way out of that is: drive there. I know that's a bummer, but again, I would never trust a system that was compromised at some point in time :rolleyes:
 
stream Take Zirias's advice to heart: you never trust a compromised server. Restore to a known state or do a fresh install. And most importantly -- figure out the way they got in and secure that. Because if you don't they will get in again.

As you have more servers I'd keep one offline for analysis.
 
When you boot in single user …

You can remount / in read-write using "mount -o rw /". …

… or mount -uw / (I can't recall what led me to this habit).

Another useful command for single user mode:

service zfs start

Any number of other services can be started in the same way (or with onestart) although honestly, with a non-compromised machine I sometimes find it easier to exit to multi-user mode, than to figure out the range of things that should/must be started before an operation is performed in single user mode.
 
I can now login as myself. Would like to install fresh 13 version.
The last ditch is to install via thumb drive on-site.
Are there any other means to install the OS via internet?
 
I tried that earlier. It failed- says No mirrors remaining, and that 12.1 is unsupported for freebsd-update.
 
this was the error i got and the solution was to update to max of the same minor version

The update metadata is correctly signed, but failed an integrity check.​

 
Sorry for repeating myself, but: If you don't "wipe" the system, there's a risk. It was once compromised and there's no way to be sure what is left. Maybe, just maybe, you can do that from remote…
 
Zirias- yes, I do want to wipe. but first I would like to try a few hacks myself.

I see there is a problem with my internet connection. I can ping sites, but cannot access them via browser.
my rc.conf has defaultrouter="...." and gateway_enable="YES".

Does the order matter?
 
Zirias- yes, I do want to wipe. but first I would like to try a few hacks myself.

I see there is a problem with my internet connection. I can ping sites, but cannot access them via browser.
my rc.conf has defaultrouter="...." and gateway_enable="YES".

Does the order matter?
it does not
you may have a broken proxy or some wrong fw rules
 
Back
Top