Security Incidents mailing list archives
Re: Compromised FBSD/Apache
From: Hernan Otero <bazhgo () techint net>
Date: 18 Nov 2002 13:03:05 -0000
In-Reply-To: <138174789994.20021116081144 () beldamar com> Do this #fstat | grep internet | grep 127 and see what it show you.... You can see wath binary is bind to this port, and view wich user is running it too Then is recomended do #fstat | grep internet And take a look for all Listen and Established communications Netstat may be a compromised file... Bye Bye -H
Hello... November 14, 2002 I noticed a service running on port 127/tcp. The box runs only Apache, no SSL. Only open ports before this were 21/22/80 PHP was installed 5 days prior to this. PHP runs in safemode. I run netstat -an every morning, which is how I found the issue. There were no log entries that showed anything out of the ordinary. Users have access to FTP only. Connections to port 127 are being blocked by the firewall. If anyone would like more information, feel free to contact me. Enjoy the day. -------------------------------- httpd 186 root 18u IPv4 0xc82d4600 0t0 TCP *:locus-con (LISTEN) httpd 186 root 19u IPv4 0xc82d43e0 0t0 TCP 111-145-58-66-cable.anchorageak.net:http (LISTEN) BOX DETAILS: # uname -a FreeBSD 4.7-STABLE #0: Tue Oct 22 09:09:45 AKDT 2002 # ./httpd -v Server version: Apache/1.3.28-dev (Unix) Server built: Nov 10 2002 08:35:06 # netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 66.58.145.111.80 *.* LISTEN tcp4 0 0 *.127 *.* LISTEN
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Compromised FBSD/Apache, (continued)
- Re: Compromised FBSD/Apache Benjamin Krueger (Nov 19)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
- Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
- Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
- Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
- increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
- Re: increased attacks on port 2599 H C (Nov 25)
- RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)
- RE: increased attacks on port 2599 H C (Nov 25)
- Re: increased attacks on port 2599 gminick (Nov 25)