Penetration Testing mailing list archives
Re: Group permissions changed
From: "Stephen J. Smoogen" <smooge () gmail com>
Date: Sun, 2 Oct 2005 17:11:00 -0600
On 28 Sep 2005 18:33:28 -0000, sf_submit () yahoo com <sf_submit () yahoo com> wrote:
--- Fairly recently I noticed my ftp client wouldn't list files in certain directories on my server anymore - so I ssh'd in (it's dedicated), and did a ls -aFl on the files, hoping to see what the problem was - here are a few of the results: -rw-r--r-- 1 larry 503 371 2005-02-25 08:36 head.php -rw-r--r-- 1 larry 48 873 2005-09-09 03:23 foot.php
I am guessing that the server is some sort of Linux/Unix system. One way that files can get 'unknown' IDs are if they are un'tared from a tar ball as root. This can cause files to get wrong groups. However, they dont usually have correct group ids.. unless someone did a chown at some point. Now the fact that you are not able to see things correctly with a ftp client can also be benign or malicious. I have had where directories 'disappeared' on a system because the ftp daemon had lost permission to them and so just didnt report they existed anymore. The ftp server lost permission because the night before I had done a recursive chmod that went a little further than I thought. On the other hand it can be a sign that the kernel has been trojaned and it doesnt allow ls or glibc calls to show stuff anymore. Now if the system has been compromised.. you would not be able to see 'extra' ports or connections. The best you might be able to do is find ports open with an external nmap scan that should not be there.. It is better to build a forensics cdrom for your operating system (I used a variation on knoppix called Helix http://www.e-fense.com/helix/) and then run root-kit finders for your operating system by booting from said cdrom. chkrootkit does many checks... and there are tools that look for common weird directories (..., '. ' , '.. ', etc). And if you are running a Linux system that is rpm based you can do something like : rpm -Va or rpm -Vp against the disk cdroms to make sure your system binaries are the same as the signed ones on the dvd. [ I think there are ways to do this with other Linux distributions but not sure.] -- Stephen J Smoogen. CSIRT/Linux System Administrator ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Group permissions changed Stephen J. Smoogen (Oct 02)