From owner-freebsd-questions@FreeBSD.ORG Wed Apr 6 15:18:01 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE81316A4CE for ; Wed, 6 Apr 2005 15:18:01 +0000 (GMT) Received: from post-24.mail.nl.demon.net (post-24.mail.nl.demon.net [194.159.73.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id A34F343D48 for ; Wed, 6 Apr 2005 15:18:01 +0000 (GMT) (envelope-from albi@scii.nl) Received: from aseed.demon.nl ([83.160.138.119]:9992 helo=mail.aseed.antenna.nl) by post-24.mail.nl.demon.net with esmtp (Exim 4.43) id 1DJCI4-000D7s-LB; Wed, 06 Apr 2005 15:18:00 +0000 Received: from http.aseed.antenna.nl (unknown [192.168.0.50]) by mail.aseed.antenna.nl (Postfix) with ESMTP id CF15015439A; Wed, 6 Apr 2005 17:19:11 +0200 (CEST) Received: from localhost.localdomain (f80052.upc-f.chello.nl [80.56.80.52]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by http.aseed.antenna.nl (Postfix) with ESMTP id 09DB758C827; Wed, 6 Apr 2005 17:18:00 +0200 (CEST) Date: Wed, 6 Apr 2005 17:17:59 +0200 From: "albi@scii.nl" To: Richard Morse Message-Id: <20050406171759.04987532.albi@scii.nl> In-Reply-To: References: X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: questions@freebsd.org Subject: Re: Owner permissions suddenly set to -x, possible compromise? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:18:02 -0000 On Wed, 6 Apr 2005 10:55:04 -0400 Richard Morse wrote: > Hi! I came in the morning and discovered that the file permissions on > every cgi I have on my webserver had been set to u-x,go+x. This > seems > to have changed at about 4:30a this morning. I'm a bit worried by > this, as I can't think of anything that would cause this, and there's > nothing in any of the log files that would explain it. 4:30a sounds like a cronjob might have done this, but it does not ring a bell > Has anyone run into this before? Can you direct me to a place I might > find more information on it? A quick google search on "owner cannot > exec" didn't turn up anything... i suggest (since you're worried) you do some reading about security in general for FreeBSD, e.g. starting here : http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html personally i would : - take the machine down - compare md5sums with a freshly installed machine - do some more "forensic research" with things like sleuthkit - for the future use a tripwire-style program like yafic (from ports)