Security Incidents mailing list archives
Re: Compromised FBSD/Apache
From: "Thomas C. Meggs" <tom () plik net>
Date: Fri, 22 Nov 2002 11:28:21 -0500
Hi,Out of curiosity what is the Linux and Solaris equivalents for doing this? I did a quick check under Linux and didn't see any similarly named programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!
Regards, Tom Micheal Patterson wrote:
----- Original Message ----- From: "Greg A. Woods" To: "Greg S. Wirth" Cc: Sent: Monday, November 18, 2002 11:49 AM Subject: Re: Compromised FBSD/Apache >[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth wrote: ] >>Subject: Compromised FBSD/Apache >> >>Hello... >>November 14, 2002 I noticed a service running on port 127/tcp. >>The box runs only Apache, no SSL. >>Only open ports before this were 21/22/80 >>PHP was installed 5 days prior to this. >>PHP runs in safemode. >>I run netstat -an every morning, which is how I found the issue. > >"fstat" is your friend -- it can tell you which process holds the >listening socket descriptor. On FreeBSD you have to use 'netstat -aAn' >first to find the address of the protocol control block (PCB), and then >grep for that in the output of 'fstat'. For example: > >12:44 [6] $ netstat -aAn | fgrep '*.80'>c49e0a40 tcp4 0 0 *.80 *.* LISTEN>12:44 [7] $ fstat | fgrep c49e0a40 >wwwsrvr thttpd 137 5* internet stream tcp c49e0a40 > > >-- >Greg A. Woods > >+1 416 218-0098; ; >Planix, Inc. ; VE3TCP; Secrets of the Weird >-------------------------------------------------------------------------- -- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > "sockstat" on later versions of FreeBSD will also show you the daemon running on the port. micheal@/>sockstat |more USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 62252 5 tcp4 192.168.1.1:22 192.168.1.2:3777 root sshd 207 4 tcp4 *:22 *:* -- Micheal Patterson Network Administration Cancer Care Network ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised FBSD/Apache Greg S. Wirth (Nov 17)
- Re: Compromised FBSD/Apache Benjamin Krueger (Nov 19)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
- Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
- Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
- Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- <Possible follow-ups>
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
- increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
- Re: increased attacks on port 2599 H C (Nov 25)
- RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)