Re: Empty /usr/src, is the box broken in?

[Ivo Chutkin]

Hi Ingo,

It was definitely bOh my god!b :) I was shocked because I usually extract
the source code.

Than, thanks to you I got my mind and realized that I did not extract the
source code when I installed the box.

It is one of my border routers, and I installed it during a bdisasterb
period, the old one is just R.I.P. sob& :)

I have to be more careful when doing this.

Thanks a lot,
:)
Best regards,

Ivo

> Hi Ivo,
>
> Ivo Chutkn wrote on Sun, Jan 18, 2009 at 09:43:06PM +0200:
>
>> I noticed strange thing on one of my OpenBSD 4.4 box.
>> The directory /usr/src is empty except two patches I downloaded today
>> and
>> a file called Oops.rje.
>
> This is very funny, thanks for the good laugh!
>
> In German, the phrase "Herrje!" means "Oh my god!".
> When you try to pronounce "rje", it sounds exactly like "Herrje".
> Thus, "Oops.rje" is really nice.   =:c)
>
> But, no more kidding, "Oops.rej" is a reject file written
> by patch(1) when it cannot find the file to patch.  For more details,
> search the patch(1) manual page for the string ".rej".
>
>> The content of this file is at the end.
>> I tried to apply security fix 007 and it ended with "File to patch:"
>> Then I noticed that the /usr/src is empty.
>
> Well, patching source code you never installed will not work.
> You should first extract the source tarball into /usr/src
> before you start patching...
>
> Try to at least roughly understand the commands you are typing.
> Otherwise, you will never have have a secure and very rarely
> a working system...  ;-(
>
>> Is it at all possible or someone broke in?
>
> Nobody can exclude that the box was broken in.
> But the above does not contain any hint that there might have
> been a break-in, so _probably_, the box is not compromised.
>
>> I receive daily output and did not notice any unknown or strange
>> changes.
>
> Very probably, your attempt to patch non-existent source code
> broke nothing.  Just remove the contents of /usr/src,
> install the sources from your CD set, and retry.
> Also, have a look at
>
>   http://www.openbsd.org/faq/faq10.html#Patches
>
> Yours,
>   Ingo

Re: Empty /usr/src, is the box broken in?

[Ingo Schwarze]

Hi Ivo,

Ivo Chutkn wrote on Sun, Jan 18, 2009 at 09:43:06PM +0200:

> I noticed strange thing on one of my OpenBSD 4.4 box.
> The directory /usr/src is empty except two patches I downloaded today and
> a file called Oops.rje.

This is very funny, thanks for the good laugh!

In German, the phrase "Herrje!" means "Oh my god!".
When you try to pronounce "rje", it sounds exactly like "Herrje".
Thus, "Oops.rje" is really nice.   =:c)

But, no more kidding, "Oops.rej" is a reject file written
by patch(1) when it cannot find the file to patch.  For more details,
search the patch(1) manual page for the string ".rej".

> The content of this file is at the end.
> I tried to apply security fix 007 and it ended with "File to patch:"
> Then I noticed that the /usr/src is empty.

Well, patching source code you never installed will not work.
You should first extract the source tarball into /usr/src
before you start patching...

Try to at least roughly understand the commands you are typing.
Otherwise, you will never have have a secure and very rarely
a working system...  ;-(

> Is it at all possible or someone broke in?

Nobody can exclude that the box was broken in.
But the above does not contain any hint that there might have
been a break-in, so _probably_, the box is not compromised.

> I receive daily output and did not notice any unknown or strange changes.

Very probably, your attempt to patch non-existent source code
broke nothing.  Just remove the contents of /usr/src,
install the sources from your CD set, and retry.
Also, have a look at

  http://www.openbsd.org/faq/faq10.html#Patches

Yours,
  Ingo

Empty /usr/src, is the box broken in?

[Ivo Chutkn]

Hello to everyone,

I noticed strange thing on one of my OpenBSD 4.4 box.
The directory /usr/src is empty except two patches I downloaded today and
a file called Oops.rje. The content of this file is at the end.
I tried to apply security fix 007 and it ended with bFile to patch:b
Then I noticed that the /usr/src is empty.

Is it at all possible or someone broke in?
I receive daily output and did not notice any unknown or strange changes.

Thank you for your help,
Ivo

Oops.rej

@@ -1486,7 +1486,7 @@
{
ret=RSA_verify(NID_md5_sha1, buf,36, buf2,
rsa_num, rsa_key[j]);
-   if (ret == 0)
+   if (ret <= 0)
{
BIO_printf(bio_err,
"RSA verify failure\n");


dmesg:
/usr/src $ dmesg
OpenBSD 4.4-stable (GENERIC) #9: Sun Nov 16 17:31:26 CET 2008
r...@i386.openbsd-stable.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.13GHz ("GenuineIntel" 686-class) 2.15 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem  = 1073246208 (1023MB)
avail mem = 1029353472 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/26/05, BIOS32 rev. 0 @ 0xfb260,
SMBIOS rev. 2.3 @ 0xf0100 (42 entries)
bios0: vendor Award Software International, Inc. version "F3" date 04/26/2005
bios0: Gigabyte Technology Co., Ltd. 8IPE1000-G/L
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0xdc04
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdb30/192 (10 entries)
pcibios0: PCI Exclusive IRQs: 5 7 9 10 11 12
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x9400 0xcc000/0x800 0xcd000/0x800 0xce000/0x800
0xcf000/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel 82865G AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA Vanta" rev 0x15
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xe800, size 0x800
drm at vga1 unsupported
ppb1 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci2 at ppb1 bus 2
fxp0 at pci2 dev 1 function 0 "Intel 8255x" rev 0x05, i82558: irq 12,
address 00:08:c7:da:8b:8d
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
fxp1 at pci2 dev 2 function 0 "Intel 8255x" rev 0x05, i82558: irq 10,
address 00:50:8b:02:22:21
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 0
fxp2 at pci2 dev 3 function 0 "Intel 8255x" rev 0x05, i82558: irq 11,
address 00:08:c7:f3:f7:07
inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 0
fxp3 at pci2 dev 4 function 0 "Intel 8255x" rev 0x05, i82558: irq 5,
address 00:50:8b:0b:49:e2
inphy3 at fxp3 phy 1: i82555 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02: 24-bit
timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 3882MB, 7952112 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: irq 7
iic0 at ichiic0
admtm0 at iic0 addr 0x2d: 47m192
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL2.5
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask e3c5 netmask ffe5 ttymask 
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b