You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Lee Fellows <lf...@4lane.com> on 2003/01/16 16:45:36 UTC
Re: [users@httpd] Possible virus changing cgi-bin directory
permissions
On Thu, 2003-01-16 at 10:23, Kenny G. Dubuisson, Jr. wrote:
> I have a strange problem that I can't seem to track down. Every night the
> permissions on my cgi-bin scripts are getting changed to non-executable.
> I've traced every cron job I have and can't duplicate the behavior. I now
> believe that it may be a malicious access to my web server that is causing
> this.
OS?
> Has anyone heard of a virus that will do what I'm experiencing?
It would be a very interesting virus that would be interested
in helping a sysadmin secure their system. Personnally, this
does not seem likely. Although... I do recall hackers who have
done similiar things on machines they accessed without the
sysadmins' permission. But you have a long way to go before
we could rule that a possibility.
> I
> looked all through the Apache access log and found a bunch of attempted
> accessed by what appears to be malicious scripts but none of them stick out
> that could do what I have happening.
At what time does the modification of the permissions on your
cgi scripts occur? What cron jobs run at that time, or start
slightly before then?
> Any ideas would be greatly
> appreciated.
>
> Thanks,
> Kenny
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
Lee Fellows <lf...@4lane.com>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible virus changing cgi-bin directorypermissions
Posted by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com>.
I'm running Red Hat 7.3. I changed the permissions back this morning before
I looked at the time of modification so I'll have to wait till tomorrow to
see what time they are being changed. But we did run all of the daily cron
jobs again this morning to see if any affected the cgi scripts and none did;
that is why I think it might be and outside job. Thanks,
Kenny
----- Original Message -----
From: "Lee Fellows" <lf...@4lane.com>
To: <us...@httpd.apache.org>
Sent: Thursday, January 16, 2003 9:45 AM
Subject: Re: [users@httpd] Possible virus changing cgi-bin
directorypermissions
> On Thu, 2003-01-16 at 10:23, Kenny G. Dubuisson, Jr. wrote:
> > I have a strange problem that I can't seem to track down. Every night
the
> > permissions on my cgi-bin scripts are getting changed to non-executable.
> > I've traced every cron job I have and can't duplicate the behavior. I
now
> > believe that it may be a malicious access to my web server that is
causing
> > this.
>
> OS?
>
> > Has anyone heard of a virus that will do what I'm experiencing?
>
> It would be a very interesting virus that would be interested
> in helping a sysadmin secure their system. Personnally, this
> does not seem likely. Although... I do recall hackers who have
> done similiar things on machines they accessed without the
> sysadmins' permission. But you have a long way to go before
> we could rule that a possibility.
>
> > I
> > looked all through the Apache access log and found a bunch of attempted
> > accessed by what appears to be malicious scripts but none of them stick
out
> > that could do what I have happening.
>
> At what time does the modification of the permissions on your
> cgi scripts occur? What cron jobs run at that time, or start
> slightly before then?
>
>
> > Any ideas would be greatly
> > appreciated.
> >
> > Thanks,
> > Kenny
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> --
> Lee Fellows <lf...@4lane.com>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org