[SOLVED] Is this part of a pfSense update?

guardian · Mar 25, 2019, 1:10 AM

I just logged into my router and I noticed the following directory that I don't remember creating. Can someone tell me if this was created as part of an update, is it part of pfSense, or does it appear that I might have been hacked?

/root: ls -laR usbstick/
total 12
drwxr-xr-x  3 root  wheel   512 Dec 18 19:58 .
drwxr-xr-x  7 root  wheel  1024 Jan 26 02:02 ..
drwxr-xr-x  2 root  wheel  1024 Dec 18 19:57 stickboot

usbstick/stickboot:
total 3460
drwxr-xr-x  2 root  wheel    1024 Dec 18 19:57 .
drwxr-xr-x  3 root  wheel     512 Dec 18 19:58 ..
-r--r--r--  1 root  wheel    3481 Dec 18 19:57 beastie.4th
-r--r--r--  1 root  wheel    8192 Dec 18 19:57 boot
-r--r--r--  1 root  wheel     512 Dec 18 19:57 boot0
-r--r--r--  1 root  wheel     512 Dec 18 19:57 boot0sio
-r--r--r--  1 root  wheel     512 Dec 18 19:57 boot1
-r-xr-xr-x  1 root  wheel   96768 Dec 18 19:57 boot1.efi
-r--r--r--  1 root  wheel  819200 Dec 18 19:57 boot1.efifat
-r--r--r--  1 root  wheel    7680 Dec 18 19:57 boot2
-r--r--r--  1 root  wheel    2050 Dec 18 19:57 brand-fbsd.4th
-r--r--r--  1 root  wheel    2044 Dec 18 19:57 brand-pfSense.4th
-r--r--r--  1 root  wheel    2735 Dec 18 19:57 brand.4th
-r--r--r--  1 root  wheel    1185 Dec 18 19:57 cdboot
-r--r--r--  1 root  wheel    6125 Dec 18 19:57 check-password.4th
-r--r--r--  1 root  wheel    1796 Dec 18 19:57 color.4th
-r--r--r--  1 root  wheel    3985 Dec 18 19:57 delay.4th
-r--r--r--  1 root  wheel     754 Dec 18 19:57 device.hints
-r--r--r--  1 root  wheel    4104 Dec 18 19:57 frames.4th
-r--r--r--  1 root  wheel   66098 Dec 18 19:57 gptboot
-r--r--r--  1 root  wheel  114754 Dec 18 19:57 gptzfsboot
-r--r--r--  1 root  wheel   14755 Dec 18 19:57 isoboot
-r-xr-xr-x  1 root  wheel  331776 Dec 18 19:57 loader
-r--r--r--  1 root  wheel    7356 Dec 18 19:57 loader.4th
-rw-r--r--  1 root  wheel     149 Dec 18 19:57 loader.conf
-r-xr-xr-x  1 root  wheel  404480 Dec 18 19:57 loader.efi
-r--r--r--  1 root  wheel   15084 Dec 18 19:57 loader.help
-r--r--r--  1 root  wheel     350 Dec 18 19:57 loader.rc
-r--r--r--  1 root  wheel    3032 Dec 18 19:57 logo-beastie.4th
-r--r--r--  1 root  wheel    2556 Dec 18 19:57 logo-beastiebw.4th
-r--r--r--  1 root  wheel    2137 Dec 18 19:57 logo-fbsdbw.4th
-r--r--r--  1 root  wheel    2557 Dec 18 19:57 logo-orb.4th
-r--r--r--  1 root  wheel    2278 Dec 18 19:57 logo-orbbw.4th
-r--r--r--  1 root  wheel    2274 Dec 18 19:57 logo-pfSensebw.4th
-r--r--r--  1 root  wheel     512 Dec 18 19:57 mbr
-r--r--r--  1 root  wheel    9178 Dec 18 19:57 menu-commands.4th
-r--r--r--  1 root  wheel   35949 Dec 18 19:57 menu.4th
-r--r--r--  1 root  wheel    6259 Dec 18 19:57 menu.rc
-r--r--r--  1 root  wheel   18523 Dec 18 19:57 menusets.4th
-r--r--r--  1 root  wheel     512 Dec 18 19:57 pmbr
-r--r--r--  1 root  wheel  333824 Dec 18 19:57 pxeboot
-r--r--r--  1 root  wheel    2603 Dec 18 19:57 screen.4th
-r--r--r--  1 root  wheel    2538 Dec 18 19:57 shortcuts.4th
-r--r--r--  1 root  wheel   36212 Dec 18 19:57 support.4th
-r--r--r--  1 root  wheel  325528 Dec 18 19:57 userboot.so
-r--r--r--  1 root  wheel    2992 Dec 18 19:57 version.4th
-r--r--r--  1 root  wheel  262656 Dec 18 19:57 zfsboot
-r-xr-xr-x  1 root  wheel  389120 Dec 18 19:57 zfsloader

mikeisfly · Mar 23, 2019, 3:14 PM

I don't have that folder on my box. My build info is listed below:

2.4.5-DEVELOPMENT (amd64)
built on Wed Feb 13 06:09:38 EST 2019
FreeBSD 11.2-RELEASE-p8

NogBadTheBad · Mar 23, 2019, 2:38 PM

@guardian said in Is this part of a pfSense update?:

beastie.4th

https://www.freebsd.org/cgi/man.cgi?query=beastie.4th&sektion=8&apropos=0&manpath=FreeBSD%2B10.0-RELEASE

guardian · Mar 23, 2019, 3:14 PM

Thanks @mikeisfly & @NogBadTheBad
@mikeisfly said in Is this part of a pfSense update?:

I don't have that folder on my box. My build info is listed below:

2.4.5-DEVELOPMENT (amd64)
built on Wed Feb 13 06:09:38 EST 2019
FreeBSD 11.2-RELEASE-p8

I guess I should have mentioned my release info:
2.4.4-RELEASE-p2 (amd64)
built on Wed Dec 12 07:40:18 EST 2018
FreeBSD 11.2-RELEASE-p6
which according to the system is the latest stable release.

@NogBadTheBad said in Is this part of a pfSense update?:

@guardian said in Is this part of a pfSense update?:

beastie.4th

https://www.freebsd.org/cgi/man.cgi?query=beastie.4th&sektion=8&apropos=0&manpath=FreeBSD%2B10.0-RELEASE

Thanks for this... that offers a few clues. Now I have an idea what it is...
Is this an artifact left by the last update? As I recall there was a bit of a glitch in the reboot process (i.e. I had to power off and back on during one of the reboots), but everything worked in the end so I never logged in to the shell.

Can I delete it safely or do I need to leave it?

stephenw10 · Mar 24, 2019, 3:49 PM

Hmm, I've never seen a 'usbstick' or 'stickboot' folder like that. Odd.

Did you have some other media connected when it had the reboot issue?

Steve

guardian · Mar 24, 2019, 9:33 PM

@stephenw10 said in Is this part of a pfSense update?:

Hmm, I've never seen a 'usbstick' or 'stickboot' folder like that. Odd.

Did you have some other media connected when it had the reboot issue?

Steve

Hi Steve

I'm using one of the Chinese J1900 boxes, and I often have to power off and power on to get the system to reboot properly.

I think the reboot issue might have the boot mode. In the BIOS, the boot modes are labeled Windows 7/Windows 8 boot.

It just occurred to me that is likely an obscure way of saying Legacy/UEFI boot. I can't remember which mode my system was built... I think it was likely legacy, since I've had it for a couple of years and just kept upgrading. The drive is UFS formatted and the partition scheme is:

gpart show
=>       63  234441585  ada0  MBR  (112G)
         63  234441585     1  freebsd  [active]  (112G)

=>        0  234441585  ada0s1  BSD  (112G)
          0         16          - free -  (8.0K)
         16  217664353       1  freebsd-ufs  (104G)
  217664369   16777216       2  freebsd-swap  (8.0G)

Am I correct in assuming that this is a legacy boot setup?

I might have changed the setting Windows 8 at some point after the system was already built (Can't remember, and at the time I didn't realize the significance of Windows 7/Windows 8 Mode). I'll check the next time I need to reboot the system.

I compared the the names of the files in usbstick/stickboot to the files in /boot, and they are almost identical. I think I was trying to make a bootable USB from the contrents of the drive and then I realized that I could just use an install USB for rescue. I'm going to rename the directory, and if it doesn't cause any problems I'll delete it.

stephenw10 · Mar 24, 2019, 10:03 PM

Yes, it looks like legacy, no efi partition. It's almost certainly fine to remove it but renaming first is always wise.

If you think you may have created it yourself then nothing to worry about.

Steve