Spontaneous Permission Changes

Ok. If anyone else has experienced this, plz let me know. I doubt anyone has, but I'm at a loss here.

Here's the situation:
Apache v1.3.22 on Mandrake Linux v8.1
OpenSSL v0.9.6b

Created a /cgi-bin/ alias and created all tags indicating to server that this was a script dir to execute from (Have been using SAME setup on RedHat for 3 years and never had this prob). After switching to Mandrake and adding SSL, I started using the Intranet side of our site through SSL. Every now and then, ALL cgi scripts in the /cgi-bin/ dir, recursively, have their permissions set to 0600, which, of course, renders them inexecutable. I have written a piece of monitoring code that tests the permissions and writes the system time and file name if it becomes inexecutable. This code runs on cron every minute and noticed last night at 4:52am EST that the permissions changed... again recursively through the /cgi-bin/ dir... I check all system logs for any events on or around this time window and found nothing that indicated a script or login or anything else had occured. I also changed the web server user's passwd as well as root's, just to make sure someone wasn't f**king with me...

Any ideas out there?

have u chroot'ed with minimal tools in the jail?
Check for a root kit, that would be the first thing i would do before checking anything else

Sorry, cross-posting is a bad thing to do in ANY forum on earth. Should you like to keep this thread, delete your other thread here now.
People, if you believe SpongeWorthyII deserves to get further help with his poor attitude for being the questioner seeking for free help in the link I posted above, just do so. But be prepared that whatever you say he/she will not agree with you because he doesn't take any advice.

The post he is refering to got out of hand after he commented which was a ridiculous comment in the first place... I was just asking a simple YES or NO question and I would LOVE to hear anything anyone has to say so long as it's contructive... looks who's following who around.

I would love to delete the post.. but since you're sooooo smart, maybe you'd realize that post was written with the account you disabled... so I CAN'T DELETE IT. duh.

That thread got out of hand right at your 2nd post for not listening to my suggestion in my first post.

>> I was just asking a simple YES or NO question

Not only that, you asked for ideas, else you'd be sent to here already for not knowing how to ask a question because you haven't read the forum guidelines.

>> which was a ridiculous comment in the first place

Because you happen to be the 1st member in Devshed for not taking my advise and insist you were right for posting irrelevant topic in this forum. Like rod k said, if you really figured out the problem you wouldn't have posted it here in the first place.

>> maybe you'd realize that post was written with the account you disabled

I don't have moderate power to delete your account. Maybe moderator here think the same that you don't deserve to be here.

why do people bother to fight in forums?

I have no beef with freebsd... I was looking for help and got an arrogant brush off. Now he's following me around adding unsolicited responses to my posts... if he'd lay off, it could all go away...

Thanks again for your help Stealth. Much appreciated.

did u check to see what users are running scripts? there might be a mis-set umask!?

Only one user can execute scripts on server and that's the login-less web server user/group that owns all the scripts. Does that make sense? All scripts are set to 0700 and owned by $webserverusername.$webserverusergroup

But none of the scripts ever make the system call to chmod anyway... this is really buggin me and making me wonder if I need to probe deeper into whether or not this box has been hacked... but why just chmod the cgi files? What purpose does that serve a hack? I mean, if they had that kind of access, then they'd see the cron'd script that resets the permissions when it notices them changed...

I'm going to see if it occurs on a regular basis or not and try to move on from there (i.e. every Tuesday night at 1am or something). If you think of anything else, let me know.

Also, I am installing PortSentry/HostSentry/LogSentry as well. so that could help determine what's goin on.

>> I was looking for help

I know, but you asked that in the wrong forum.

>> and got an arrogant brush off.

You were fortunate enough when I say something politely like so:
Then what, you insist you were right.

It would be ontopic if you asked "how to configure permission for cgi-bin directory" in Apache forum but you didn't.

freebsd.. are you a moderator? NO??? Then don't act like one and mind your own business. If you would like to be a moderator, then talk to the admins! Otherwise, keep it to yourself as I DON'T CARE. Get it?

Over. Out. Done. Bye Bye now. Take care. Move along, there's nothing to see here. No hard feelings, just zip it.

They asked me to be moderator dozen times but I chose not to.
Didn't I warn you when you don't listen, you'd be very sorry and you just can't survive in this community?

on and on and on... you're like the enegizer bunny... when are you gonna leave it alone man... go your way.. I go mine... done.

Besides, I have already talked with some of the admins and your behavior is well known... your reputation preceeds you I'm afraid.

It's great that you are such a well of knowledge. I respect you for that. But you seem to lack a little in the people skills department... get out and make some friends and get off that cloud man... you're just another person regardless of what you might think....

PS... you're going on the ignore list, so don't bother responding any more... ok? Let's part ways here and happy trails to you!