Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - sandapa

Pages: [1]
General Questions / Why was /etc/passwd updated automatically?
« on: March 06, 2018, 02:55:26 pm »
I have one pfSense hardware router that has run for a few weeks and was then shutdown for a few days (I am not sure if this has anything to do with this but I figured it wouldn't hurt to mention it). Upon booting it again, I noticed that the checksum of /etc/passwd had changed and, upon further inspection inside the logs, I found this inside /var/log/userlog:

Code: [Select]
2018-03-06 13:44:13 [unknown:userdel] admin(0) account removed
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2018-03-06 13:44:13 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2018-03-06 13:44:13 [unknown:useradd] admin(0) home /root made
2018-03-06 13:44:13 [unknown:groupmod] all(1998)
2018-03-06 13:44:13 [unknown:groupmod] admins(1999)

The timestamps here are the same of the last modified date of /etc/passwd so I think it's these changes that made the checksum of the passwd file change. However, I didn't update anything manually, I just booted the router back up, so what could have caused this? Is this behavior by design? And if so, what is really happening here?

Additional note: even if I look further back into the past in the logs, I see quite a few log entries like these, which seem to always happen when pfSense is started, so it doesn't look like this was an isolated event.

Pages: [1]