Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Group permissions changed

from [abc 123] Network Security [Permanent Link]
Subject: RE: Group permissions changed
Date: Thu, 29 Sep 2005 06:02:24 -0700 (PDT) 
Hi, thanks for your response

Yes, I'm on Debian and it appears to allow invalid
groups.  My problem is that noone else (with the
exception of the hosting company - I'm not sure about
them) has root access to the server, and I hadn't done
anything to make the group UID's change.  I don't SSH
in often, only to check logs, settings, or install
something.  

The reason I noticed it was that my FTP client was
giving me errors about not being able to list the
directory - which I had never seen before even though
I regularly upload and delete files via FTP with the
exact same client on the exact same computer.

So, all told, I wouldn't mind if I had done it
accidentally, I just don't see how I could have -
especially since if it was recursive it would have
changed all the files in the directory to the same
group, and they had a couple different non-existent
groups.


--- "Nicholson, Dale" <DNicholson@APACMail.com> wrote:


On some *nix flavors chown allows you to change the
group to whatever you
enter even when the group does not really exist.  I
don't know if you are on
one of those, but you can check by trying to chown
the files to some other
group and see.

chown larry:madeupgroup foot.php

If this returns "chown: unknown group id
madeupgroup" then you might want to
get more concerned.  If it allows you to change to a
made up group name it
means this might have been done on accident.

In any case you can at least change the group back
to the correct one.

I have not heard of an exploit that does this but
that does not mean it
doesn't exist.



Dale

-----Original Message-----
From: sf_submit@yahoo.com
[mailto:sf_submit@yahoo.com] 
Sent: Thursday, September 22, 2005 8:21 PM
To: security-basics@securityfocus.com
Subject: Group permissions changed


Fairly recently I noticed my ftp client wouldn't
list files in certain
directories on my server anymore - so I ssh'd in
(it's dedicated), and did a
ls -aFl on the files, hoping to see what the problem
was - here are a few of
the results:

-rw-r--r--  1 larry  503   371 2005-02-25 08:36
head.php
-rw-r--r--  1 larry   48   873 2005-09-09 03:23
foot.php

I never set the group ids to 503 or 48, so I checked
just to make sure - and
no groups with those ids even exist.  Is there an
exploit/tool that causes
this, and should I be worried?

I checked the processes running, and everything
seems to be OK - same with
any processes connecting to the internet.

I'd appreciate any comments





                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to...., Ansgar -59cobalt- Wiechers
Next by Date:  Re: Re: Anonymize internet access, svoemel
Previous by Thread:  RE: Group permissions changed, Nicholson, Dale
Next by Thread:  Single Sign On with USB Tokens, Carlos Andres Rodriguez C.
Indexes:  [Date] [Thread] [Top] [All Lists]