You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com> on 2003/01/16 17:01:52 UTC

Re: [users@httpd] Possible virus changing cgi-bin directorypermissions

I'm running Red Hat 7.3.  I changed the permissions back this morning before
I looked at the time of modification so I'll have to wait till tomorrow to
see what time they are being changed.  But we did run all of the daily cron
jobs again this morning to see if any affected the cgi scripts and none did;
that is why I think it might be and outside job.  Thanks,
Kenny

----- Original Message -----
From: "Lee Fellows" <lf...@4lane.com>
To: <us...@httpd.apache.org>
Sent: Thursday, January 16, 2003 9:45 AM
Subject: Re: [users@httpd] Possible virus changing cgi-bin
directorypermissions


> On Thu, 2003-01-16 at 10:23, Kenny G. Dubuisson, Jr. wrote:
> > I have a strange problem that I can't seem to track down.  Every night
the
> > permissions on my cgi-bin scripts are getting changed to non-executable.
> > I've traced every cron job I have and can't duplicate the behavior.  I
now
> > believe that it may be a malicious access to my web server that is
causing
> > this.
>
>     OS?
>
> >   Has anyone heard of a virus that will do what I'm experiencing?
>
>      It would be a very interesting virus that would be interested
>      in helping a sysadmin secure their system.  Personnally, this
>      does not seem likely.  Although... I do recall hackers who have
>      done similiar things on machines they accessed without the
>      sysadmins' permission.  But you have a long way to go before
>      we could rule that a possibility.
>
> >   I
> > looked all through the Apache access log and found a bunch of attempted
> > accessed by what appears to be malicious scripts but none of them stick
out
> > that  could do what I have happening.
>
>     At what time does the modification of the permissions on your
>     cgi scripts occur?  What cron jobs run at that time, or start
>     slightly before then?
>
>
> >   Any ideas would be greatly
> > appreciated.
> >
> > Thanks,
> > Kenny
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> --
> Lee Fellows <lf...@4lane.com>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org