 | | | Folders Owner and permissions Changed | Folders Owner and permissions Changed 2003-06-05 - By Keith Mastin
Back
Faisal
> Hi,
>
> I just configured a web site on my RH7.2 box running
> apache-1 (See http://che-1.ora-code.com).3.27-1.7.2.
>
> After defining web site about 15 minutes later I found that permissions
> and owner of the web site files are changed to something like this.
>
> drwxrwxrwx 6 544 401 4096 Jun 3 16:29 admin
<snip>
> drwxr-xr-x 2 mysql mysql 8192 Jun 4 13:16 sql
>
> The old files permission was like this looking at backup copy of files.
>
> drwxrwxrwx 6 root root 4096 Jun 3 16:29 admin
> -rwxr-xr-x 1 root root 14604 Jun 4 11:48 admin.php
<snip>
> -rwxr-xr-x 1 root root 4356 Jun 4 11:23 navigation.php
> drwxr-xr-x 2 mysql mysql 8192 Jun 4 13:16 sql
>
> I also checked with my etc/passwd file for UID 544 and GID 401 both not
> found.
>
> I have no ftp server running on this box neither wu-ftp or ftpdpro.
>
> It's local company site.
>
> Any one has any idea I am feeling compromised?
How much more evidence do you need? You were running apache as root with
world writable files, probably on a completely unprotected system. This
being the case, I would guess that your system was compromised before you
started up apache because of the speed of the assault and the fact that
they had time to mess around with your passwd system and probably a whole
lot more.
Time to format and re-install. Don't short yourself on this, the guy [sic]
who broke in knows more about what he's [sic] doing than you do.
--
Keith Mastin
BeechTree Information Technology Services Inc.
Toronto, Canada
(416)696 6070
|
|
|