Folders Owner and permissions Changed

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Installation - Getting started with Red Hat Linux

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	sendmail configuration on redhat
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	Promise 378 controller
•	kernel 2 6 and /dev/sound/mixer not found
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	Lotus Notes under Wine
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	Command stream end of file while reading
•	rpm database corrupt
•	qla2300 modules

Folders Owner and permissions Changed

Folders Owner and permissions Changed

2003-06-05 - By David Booher

Back

Reply: 1 2 3

Well, by looking at the old permissions: you had write privileges open to
the world and it looks like someone took advantage of that.

-- --Original Message-- --
From: Faisal [mailto:fais@(protected)]
Sent: Thursday, June 05, 2003 3:42 PM
To: Enigma-List@(protected)
Subject: FW: Folders Owner and permissions Changed

Hi,

I just configured a web site on my RH7.2 box running
apache-1 (See http://che-1.ora-code.com).3.27-1.7.2.

After defining web site about 15 minutes later I found that permissions
and owner of the web site files are changed to something like this.

drwxrwxrwx 6 544 401 4096 Jun 3 16:29 admin
-rwxr-xr-x 1 root root 14604 Jun 4 11:48 admin.php
-rwxrwxrwx 1 544 401 2039 Sep 16 2002 auth.php
drwxr-xr-x 3 root root 4096 Jun 4 13:14 backup
-rwxrwxrwx 1 544 401 14976 Sep 16 2002 banners.php
-rwxrwxrwx 1 544 401 2632 Sep 16 2002 footer.php
-rwxrwxrwx 1 544 401 1987 Sep 16 2002 header.php
drwxrwxrwx 14 544 401 4096 Jun 4 11:26 images
drwxrwxrwx 2 544 401 4096 Jun 3 16:29 includes
-rwxrwxrwx 1 544 401 2295 Sep 16 2002 index.php
drwxrwxrwx 28 544 401 4096 Jun 4 10:48 navigation
-rwxr-xr-x 1 root root 4356 Jun 4 11:23 navigation.php
drwxr-xr-x 2 mysql mysql 8192 Jun 4 13:16 sql

The old files permission was like this looking at backup copy of files.

drwxrwxrwx 6 root root 4096 Jun 3 16:29 admin
-rwxr-xr-x 1 root root 14604 Jun 4 11:48 admin.php
-rwxrwxrwx 1 root root 2039 Sep 16 2002 auth.php
-rwxrwxrwx 1 root root 4096 Sep 16 2002 backup
-rwxrwxrwx 1 root root 14976 Sep 16 2002 banners.php
-rwxrwxrwx 1 root root 2632 Sep 16 2002 footer.php
-rwxrwxrwx 1 root root 1987 Sep 16 2002 header.php
drwxrwxrwx 14 root root 4096 Jun 4 11:26 images
drwxrwxrwx 2 root root 4096 Jun 3 16:29 includes
-rwxrwxrwx 1 root root 2295 Sep 16 2002 index.php
drwxrwxrwx 28 root root 4096 Jun 4 10:48 navigation
-rwxr-xr-x 1 root root 4356 Jun 4 11:23 navigation.php
drwxr-xr-x 2 mysql mysql 8192 Jun 4 13:16 sql

I also checked with my etc/passwd file for UID 544 and GID 401 both not
found.

I have no ftp server running on this box neither wu-ftp or ftpdpro.

It's local company site.

Any one has any idea I am feeling compromised?

Faisal Ashraf

__ ____ ____ ____ ____ ____ ____ ____ ____ ____
enigma-list mailing list
enigma-list@(protected)
https://www.redhat.com/mailman/listinfo/enigma-list

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2654.45">
<TITLE>RE: Folders Owner and permissions Changed</TITLE>
</HEAD>
<BODY>

Well, by looking at the old permissions: you had write
privileges open to the world and it looks like someone took advantage of that.

 
 

-- --Original Message-- --
 From: Faisal [<A HREF="mailto:fais@(protected)">mailto:fais
@(protected)</A>]
 Sent: Thursday, June 05, 2003 3:42 PM
 To: Enigma-List@(protected)
 Subject: FW: Folders Owner and permissions Changed

 

Hi,


I just configured a web site on my RH7.2 box running
 apache-1 (See http://che-1.ora-code.com).3.27-1.7.2.


After defining web site about 15 minutes later I found that
permissions
 and owner of the web site files are changed to something like
this. 


drwxrwxrwx    6 544    &nbsp
; 401          4096 Jun  3 16
:29 admin
 -rwxr-xr-x    1 root    
root        14604 Jun  4 11:48 admin
.php
 -rwxrwxrwx    1 544    
  401          2039 Sep 16
  2002 auth.php
 drwxr-xr-x    3 root    
root         4096 Jun  4 13:14
backup
 -rwxrwxrwx    1 544    
  401         14976 Sep 16 
2002 banners.php
 -rwxrwxrwx    1 544    
  401          2632 Sep 16
  2002 footer.php
 -rwxrwxrwx    1 544    
  401          1987 Sep 16
  2002 header.php
 drwxrwxrwx   14 544     
401          4096 Jun  4 11
:26 images
 drwxrwxrwx    2 544    
  401          4096 Jun 
3 16:29 includes
 -rwxrwxrwx    1 544    
  401          2295 Sep 16
  2002 index.php
 drwxrwxrwx   28 544     
401          4096 Jun  4 10
:48 navigation
 -rwxr-xr-x    1 root    
root         4356 Jun  4 11:23
navigation.php
 drwxr-xr-x    2 mysql    mysql
        8192 Jun  4 13:16 sql

 
 

The old files permission was like this looking at backup copy
of files.


drwxrwxrwx    6 root    
root         4096 Jun  3 16:29
admin
 -rwxr-xr-x    1 root    
root        14604 Jun  4 11:48 admin
.php
 -rwxrwxrwx    1 root    
root         2039 Sep 16  2002
auth.php
 -rwxrwxrwx    1 root    
root         4096 Sep 16  2002
backup
 -rwxrwxrwx    1 root    
root        14976 Sep 16  2002 banners
.php
 -rwxrwxrwx    1 root    
root         2632 Sep 16  2002
footer.php
 -rwxrwxrwx    1 root    
root         1987 Sep 16  2002
header.php
 drwxrwxrwx   14 root     root
         4096 Jun  4 11:26 images
 drwxrwxrwx    2 root    
root         4096 Jun  3 16:29
includes
 -rwxrwxrwx    1 root    
root         2295 Sep 16  2002
index.php
 drwxrwxrwx   28 root     root
         4096 Jun  4 10:48
navigation
 -rwxr-xr-x    1 root    
root         4356 Jun  4 11:23
navigation.php
 drwxr-xr-x    2 mysql    mysql
        8192 Jun  4 13:16 sql


I also checked with my etc/passwd file for UID 544 and GID 401
both not
 found.


I have no ftp server running on this box neither wu-ftp or
ftpdpro.


It's local company site.


Any one has any idea I am feeling compromised? 


Faisal Ashraf 

 

__ ____ ____ ____ ____ ____ ____ ____ ____ ____
 enigma-list mailing list
 enigma-list@(protected)
 <A HREF="https://www.redhat.com/mailman/listinfo/enigma-list"
TARGET="_blank">https://www.redhat.com/mailman/listinfo/enigma-list</A>


</BODY>
</HTML>