Security Basics mailing list archives
RE: Group permissions changed
From: "Nicholson, Dale" <DNicholson () APACMail com>
Date: Tue, 27 Sep 2005 15:44:02 -0500
On some *nix flavors chown allows you to change the group to whatever you enter even when the group does not really exist. I don't know if you are on one of those, but you can check by trying to chown the files to some other group and see. chown larry:madeupgroup foot.php If this returns "chown: unknown group id madeupgroup" then you might want to get more concerned. If it allows you to change to a made up group name it means this might have been done on accident. In any case you can at least change the group back to the correct one. I have not heard of an exploit that does this but that does not mean it doesn't exist. Dale -----Original Message----- From: sf_submit () yahoo com [mailto:sf_submit () yahoo com] Sent: Thursday, September 22, 2005 8:21 PM To: security-basics () securityfocus com Subject: Group permissions changed Fairly recently I noticed my ftp client wouldn't list files in certain directories on my server anymore - so I ssh'd in (it's dedicated), and did a ls -aFl on the files, hoping to see what the problem was - here are a few of the results: -rw-r--r-- 1 larry 503 371 2005-02-25 08:36 head.php -rw-r--r-- 1 larry 48 873 2005-09-09 03:23 foot.php I never set the group ids to 503 or 48, so I checked just to make sure - and no groups with those ids even exist. Is there an exploit/tool that causes this, and should I be worried? I checked the processes running, and everything seems to be OK - same with any processes connecting to the internet. I'd appreciate any comments
Current thread:
- Group permissions changed sf_submit (Sep 26)
- <Possible follow-ups>
- RE: Group permissions changed Nicholson, Dale (Sep 28)
- RE: Group permissions changed abc 123 (Sep 30)