Does this look like my pfSense was hacked

  • I had a power failure today (pfSense is just being tested, so I don't have it on a UPS), and I tried to log in as root with SSH and it didn't work.  Fortunately I had another userid with sudo, so I was able to get the root password fixed, but before I changed the password, I had a look in /etc/master.passwd and I saw the following:

    root:$–----REMOVED----------m:0:0::0:0:Charlie &:/root:/bin/sh
    toor::0:0::0:0:Bourne-again Superuser:/root:
    :1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin

    Two things I am wondering about:

    • Where did 'Charlie &' come from?  My name is not Charlie and there is not way I put that into the setup.

    • is toor:*:0:0::0:0:Bourne-again Superuser:/root: a normal entry?

    I'm wondering if this is normal, did I likely suffer corruption, or was I likely hacked and should wipe the box and reload it?

    I can't remember exactly, but the box started out as v2.3 and I have done all the upgrades.  I have also installed / removed a number of packages.

    Also, I can't remember, is root access normally allowed or does the standard install force the use of admin and sudo?

    Does pfSense have anything like rkhunter to detect unauthorized changes?

    Any assistance is much appreciated.

  • Thanks… that Charlie had me scared!

  • Thanks… I was wondering what that was about... obviously someone has a sense of humour that was a bit too obscure for me  ;)