[CALUG] Strange log file permissions

Rajiv Gunja opn.src.rocks at gmail.com
Sat Feb 11 10:04:08 CST 2006


Jim,
I have seen this many a time in my network, When there is no possible way
that an user id and group id could be that long.

The culprit in our case was NFS. When we NFS mount FS over different OS,
linux->AIX or Sun->AIX or HP->AIX, or even Samba mounts, OSes interpret
these mounted files with a different file handles.

In this case, if your access_log was samba mounted or shared across, that
could have caused it, so you might have to check the smb.conf

If not, I would agree with you that this system was compromised by someone
who had root access.

Before the server is rebuilt, please check if they have opened any back
doors, viz, /.rhosts, /etc/hosts.equiv, and look in /usr/bin and /usr/sbin
if they have a sticky bit set on any files. Check PAM and its config. If the
client is OK with rebuild, go ahead and rebuild it and put SeOS on it for
good security. Now a days it goes by eTrust. It has saved me and enabled me
to find certain odd/evil doers within my network.

Good luck

-GGR

---
Rajiv G Gunja
System Analyst / Engg
SUN / AIX / HPUX / Linux Admin
IM: AOL / Yahoo / MSN : ggvrsn

On 2/8/06, Jim Bauer <jfbauer at comcast.net> wrote:
>
> On Wednesday 08 February 2006 14:31, Steve Gregory wrote:
> > One of my clients has a server with some very strange permissions.
> > /var/log/cups/access_log does not have any root permissions and has a
> > long number as its user and group. I am not able to change the
> > permissions as root, nor will a weekly rotate work. I have suggested to
> > the client that the server needs to be rebuilt, since there might be the
> > possibility that the machine was rooted. He would like a second opinion.
> > Any thoughts?
>
> If it looks like I suspect it might, there is a chance it could be due to
> filesystem corruption.
>
>
> _______________________________________________
> Columbia, Maryland Linux User's Group (CALUG) mailing list
> CALUG Website: http://www.calug.com
> Email postings to: lug at calug.com
> Change your list subscription options:
> http://calug.com/mailman/listinfo/lug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calug.com/pipermail/lug/attachments/20060211/133f22b6/attachment.html 


More information about the lug mailing list