Owner permissions suddenly set to -x, possible compromise?
albi at scii.nl
albi at scii.nl
Wed Apr 6 08:18:02 PDT 2005
On Wed, 6 Apr 2005 10:55:04 -0400
Richard Morse <remorse at partners.org> wrote:
> Hi! I came in the morning and discovered that the file permissions on
> every cgi I have on my webserver had been set to u-x,go+x. This
> seems
> to have changed at about 4:30a this morning. I'm a bit worried by
> this, as I can't think of anything that would cause this, and there's
> nothing in any of the log files that would explain it.
4:30a sounds like a cronjob might have done this, but it does not ring a
bell
> Has anyone run into this before? Can you direct me to a place I might
> find more information on it? A quick google search on "owner cannot
> exec" didn't turn up anything...
i suggest (since you're worried) you do some reading about security in
general for FreeBSD, e.g. starting here :
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html
personally i would :
- take the machine down
- compare md5sums with a freshly installed machine
- do some more "forensic research" with things like sleuthkit
- for the future use a tripwire-style program like yafic (from ports)
More information about the freebsd-questions
mailing list