On Thu, Jun 08, 2006 at 02:22:19PM +0200, Jonas Lindskog wrote:
> Hello,
>
> A week ago my open bsd firewall started to show a very strange behaviour.
> I have the ssh-daemon running and ususally log-in remotely to be able to
> administrate the pf.conf file. But now I cant log in. Ok, maybe I've just
> forgott my password. I booted in single user mode and changed it, then
> booted normally but couldn't log in anyway. I booted in single user mode
> again changed it to another password, changed to another user (using su)
> and then changed user to root again (again using su). Was prompted for the
> password, entered it and login was again rejected. When i tried to change
> the password it complained that something was wrong with a file called
> /etc/master.passwd. When looking at the file it contained parts of my
> pf.conf file.
>
> Have I've been hacked or is it just a major error done from my side.
Most likely, some form of major error. Might be filesystem damage; could
you have done something to cause that?
If master.passwd is unparseable, all sorts of nasty stuff happens.
Restore from a 3*etc.tgz file, or - if possible - from backups.
(Just a generic pointer - most hackers know what they are doing, and are
quite careful not to make too much user-visible changes to the system;
something as blatantly obvious as this is unlikely to be the work of a
hacker. Even bad hackers are unlikely to randomly trash important
files.)
Joachim
