Date: Wed, 6 Apr 2005 17:17:59 +0200 From: "albi@scii.nl" <albi@scii.nl> To: Richard Morse <remorse@partners.org> Cc: questions@freebsd.org Subject: Re: Owner permissions suddenly set to -x, possible compromise? Message-ID: <20050406171759.04987532.albi@scii.nl> In-Reply-To: <DBBC5E84-A6AB-11D9-9156-000A956EB07E@partners.org> References: <DBBC5E84-A6AB-11D9-9156-000A956EB07E@partners.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 6 Apr 2005 10:55:04 -0400 Richard Morse <remorse@partners.org> wrote: > Hi! I came in the morning and discovered that the file permissions on > every cgi I have on my webserver had been set to u-x,go+x. This > seems > to have changed at about 4:30a this morning. I'm a bit worried by > this, as I can't think of anything that would cause this, and there's > nothing in any of the log files that would explain it. 4:30a sounds like a cronjob might have done this, but it does not ring a bell > Has anyone run into this before? Can you direct me to a place I might > find more information on it? A quick google search on "owner cannot > exec" didn't turn up anything... i suggest (since you're worried) you do some reading about security in general for FreeBSD, e.g. starting here : http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html personally i would : - take the machine down - compare md5sums with a freshly installed machine - do some more "forensic research" with things like sleuthkit - for the future use a tripwire-style program like yafic (from ports)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050406171759.04987532.albi>