On Wednesday 28 September 2005 20:33, sf_submit (at) yahoo (dot) com [email concealed] wrote:
> I posted this before on the security basics, but haven't recieved a
> response, and it worries me a bit, so I'm sending this to a few other
> groups in hopes that someone will have an idea about it.
>
> ---
>
> Fairly recently I noticed my ftp client wouldn't list files in certain
> directories on my server anymore - so I ssh'd in (it's dedicated), and did
> a ls -aFl on the files, hoping to see what the problem was - here are a few
> of the results:
>
> -rw-r--r-- 1 larry 503 371 2005-02-25 08:36 head.php
> -rw-r--r-- 1 larry 48 873 2005-09-09 03:23 foot.php
>
> I never set the group ids to 503 or 48, so I checked just to make sure -
> and no groups with those ids even exist. Is there an exploit/tool that
> causes this, and should I be worried?
I seem to remember that tar preserves group numbers when unpacking an archive,
but I cannot check it right now.
> I posted this before on the security basics, but haven't recieved a
> response, and it worries me a bit, so I'm sending this to a few other
> groups in hopes that someone will have an idea about it.
>
> ---
>
> Fairly recently I noticed my ftp client wouldn't list files in certain
> directories on my server anymore - so I ssh'd in (it's dedicated), and did
> a ls -aFl on the files, hoping to see what the problem was - here are a few
> of the results:
>
> -rw-r--r-- 1 larry 503 371 2005-02-25 08:36 head.php
> -rw-r--r-- 1 larry 48 873 2005-09-09 03:23 foot.php
>
> I never set the group ids to 503 or 48, so I checked just to make sure -
> and no groups with those ids even exist. Is there an exploit/tool that
> causes this, and should I be worried?
I seem to remember that tar preserves group numbers when unpacking an archive,
but I cannot check it right now.
--
Joop Gerritse
Mühlenstraße 11
D-47546 Kalkar-Wissel
Germany
+49 2824 971487
http://www.jjge.nl
[ reply ]