Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Group permissions changed

From: "Stephen J. Smoogen" <smooge () gmail com>
Date: Sun, 2 Oct 2005 17:11:00 -0600
On 28 Sep 2005 18:33:28 -0000, sf_submit () yahoo com <sf_submit () yahoo com> wrote:


---

Fairly recently I noticed my ftp client wouldn't list files in certain directories on my server anymore - so I ssh'd 
in (it's dedicated), and did a ls -aFl on the files, hoping to see what the problem was - here are a few of the 
results:

-rw-r--r-- 1 larry 503 371 2005-02-25 08:36 head.php
-rw-r--r-- 1 larry 48 873 2005-09-09 03:23 foot.php



I am guessing that the server is some sort of Linux/Unix system. One
way that files can get 'unknown' IDs are if they are un'tared from a
tar ball as root. This can cause files to get wrong groups. However,
they dont usually have correct group ids.. unless someone did a chown
at some point.

Now the fact that you are not able to see things correctly with a ftp
client can also be benign or malicious. I have had where directories 
'disappeared' on a system because the ftp daemon had lost permission
to them and so just didnt report they existed anymore. The ftp server
lost permission because the night before I had done a recursive chmod
that went a little further than I thought. On the other hand it can be
a sign that the kernel has been trojaned and it doesnt allow ls or
glibc calls to show stuff anymore.

Now if the system has been compromised.. you would not be able to see
'extra' ports or connections. The best you might be able to do is find
ports open with an external nmap scan that should not be there.. It is
better to build a forensics cdrom for your operating system (I used a
variation on knoppix called Helix http://www.e-fense.com/helix/) and
then run root-kit finders for your operating system by booting from
said cdrom. chkrootkit does many checks... and there are tools that
look for common weird directories (..., '. ' , '.. ', etc). And if you
are running a Linux system that is rpm based you can do something like
: rpm -Va or rpm -Vp against the disk cdroms to make sure your system
binaries are the same as the signed ones on the dvd. [ I think there
are ways to do this with other Linux distributions but not sure.]


--
Stephen J Smoogen.
CSIRT/Linux System Administrator

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: