RE: Group permissions changed

[abc 123 <sf_submit () yahoo com>]

Hi, thanks for your response

Yes, I'm on Debian and it appears to allow invalid
groups.  My problem is that noone else (with the
exception of the hosting company - I'm not sure about
them) has root access to the server, and I hadn't done
anything to make the group UID's change.  I don't SSH
in often, only to check logs, settings, or install
something.  

The reason I noticed it was that my FTP client was
giving me errors about not being able to list the
directory - which I had never seen before even though
I regularly upload and delete files via FTP with the
exact same client on the exact same computer.

So, all told, I wouldn't mind if I had done it
accidentally, I just don't see how I could have -
especially since if it was recursive it would have
changed all the files in the directory to the same
group, and they had a couple different non-existent
groups.


--- "Nicholson, Dale" <DNicholson () APACMail com> wrote:

> On some *nix flavors chown allows you to change the
> group to whatever you
> enter even when the group does not really exist.  I
> don't know if you are on
> one of those, but you can check by trying to chown
> the files to some other
> group and see.
>
> chown larry:madeupgroup foot.php
>
> If this returns "chown: unknown group id
> madeupgroup" then you might want to
> get more concerned.  If it allows you to change to a
> made up group name it
> means this might have been done on accident.
>
> In any case you can at least change the group back
> to the correct one.
>
> I have not heard of an exploit that does this but
> that does not mean it
> doesn't exist.
>
>
>
> Dale
>
> -----Original Message-----
> From: sf_submit () yahoo com
> [mailto:sf_submit () yahoo com] 
> Sent: Thursday, September 22, 2005 8:21 PM
> To: security-basics () securityfocus com
> Subject: Group permissions changed
>
>
> Fairly recently I noticed my ftp client wouldn't
> list files in certain
> directories on my server anymore - so I ssh'd in
> (it's dedicated), and did a
> ls -aFl on the files, hoping to see what the problem
> was - here are a few of
> the results:
>
> -rw-r--r--  1 larry  503   371 2005-02-25 08:36
> head.php
> -rw-r--r--  1 larry   48   873 2005-09-09 03:23
> foot.php
>
> I never set the group ids to 503 or 48, so I checked
> just to make sure - and
> no groups with those ids even exist.  Is there an
> exploit/tool that causes
> this, and should I be worried?
>
> I checked the processes running, and everything
> seems to be OK - same with
> any processes connecting to the internet.
>
> I'd appreciate any comments



                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com