RE: Group permissions changed

["Nicholson, Dale" <DNicholson () APACMail com>]

On some *nix flavors chown allows you to change the group to whatever you
enter even when the group does not really exist.  I don't know if you are on
one of those, but you can check by trying to chown the files to some other
group and see.

chown larry:madeupgroup foot.php

If this returns "chown: unknown group id madeupgroup" then you might want to
get more concerned.  If it allows you to change to a made up group name it
means this might have been done on accident.

In any case you can at least change the group back to the correct one.

I have not heard of an exploit that does this but that does not mean it
doesn't exist.



Dale

-----Original Message-----
From: sf_submit () yahoo com [mailto:sf_submit () yahoo com] 
Sent: Thursday, September 22, 2005 8:21 PM
To: security-basics () securityfocus com
Subject: Group permissions changed


Fairly recently I noticed my ftp client wouldn't list files in certain
directories on my server anymore - so I ssh'd in (it's dedicated), and did a
ls -aFl on the files, hoping to see what the problem was - here are a few of
the results:

-rw-r--r--  1 larry  503   371 2005-02-25 08:36 head.php
-rw-r--r--  1 larry   48   873 2005-09-09 03:23 foot.php

I never set the group ids to 503 or 48, so I checked just to make sure - and
no groups with those ids even exist.  Is there an exploit/tool that causes
this, and should I be worried?

I checked the processes running, and everything seems to be OK - same with
any processes connecting to the internet.

I'd appreciate any comments