Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Group permissions changed

from [Nicholson, Dale] Network Security [Permanent Link]
Subject: RE: Group permissions changed
Date: Tue, 27 Sep 2005 15:44:02 -0500 
On some *nix flavors chown allows you to change the group to whatever you
enter even when the group does not really exist.  I don't know if you are on
one of those, but you can check by trying to chown the files to some other
group and see.

chown larry:madeupgroup foot.php

If this returns "chown: unknown group id madeupgroup" then you might want to
get more concerned.  If it allows you to change to a made up group name it
means this might have been done on accident.

In any case you can at least change the group back to the correct one.

I have not heard of an exploit that does this but that does not mean it
doesn't exist.



Dale

-----Original Message-----
From: sf_submit@yahoo.com [mailto:sf_submit@yahoo.com] 
Sent: Thursday, September 22, 2005 8:21 PM
To: security-basics@securityfocus.com
Subject: Group permissions changed


Fairly recently I noticed my ftp client wouldn't list files in certain
directories on my server anymore - so I ssh'd in (it's dedicated), and did a
ls -aFl on the files, hoping to see what the problem was - here are a few of
the results:

-rw-r--r--  1 larry  503   371 2005-02-25 08:36 head.php
-rw-r--r--  1 larry   48   873 2005-09-09 03:23 foot.php

I never set the group ids to 503 or 48, so I checked just to make sure - and
no groups with those ids even exist.  Is there an exploit/tool that causes
this, and should I be worried?

I checked the processes running, and everything seems to be OK - same with
any processes connecting to the internet.

I'd appreciate any comments
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Windows Vista current flaws, Kofron, Matt
Next by Date:  RE: security-basics@securityfocus.com, Flory Jeffrey D Ctr 59 MDSS/MSISI
Previous by Thread:  Group permissions changed, sf_submit
Next by Thread:  RE: Group permissions changed, abc 123
Indexes:  [Date] [Thread] [Top] [All Lists]