[pmwiki-users] Wiki vandalism via chgrp?

[Ben Stallings]

I just had a site vandalized via a new method I hadn't seen before, and 
the hosting service was incredulous of.

The entire site's group ownership (this being a UNIX system) was changed 
to "igsvirt".  Then all of the wiki.d files (which are group writable) 
were overwritten with identical HTML code.  Of course PmWiki didn't 
display the HTML, so the site now appears to be a blank template.

It may be relevant that the HTML contains links to a domain name 
registered in Turkey, and the volunteer who had been working on the site 
has an ex-husband in Turkey, and it's possible that the password on the 
account hasn't been changed since the breakup.  She doesn't have the FTP 
password (not being the account owner), but he might for all I know. 
I'll check into that.  But if he has the password, then why bother to 
change the group ownership, and only change the files that are group 
writable?

Is it conceivable that another user on the same system (this being a 
shared host) could have used the chgrp command to gain access to the 
files?  Or is chgrp pretty well locked down?  Ideas welcome.  Thanks! 
--Ben S