Security Incidents mailing list archives
Re: Compromised FBSD/Apache
From: Skip Carter <skip () taygeta com>
Date: Mon, 25 Nov 2002 10:08:36 -0800
Out of curiosity what is the Linux and Solaris equivalents for doing this? I did a quick check under Linux and didn't see any similarly named programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!
"fstat" is your friend -- it can tell you which process holds the listening socket descriptor. On FreeBSD you have to use 'netstat -aAn' first to find the address of the protocol control block (PCB), and then grep for that in the output of 'fstat'. For example: 12:44 [6] $ netstat -aAn | fgrep '*.80' c49e0a40 tcp4 0 0 *.80 *.*LISTEN12:44 [7] $ fstat | fgrep c49e0a40 wwwsrvr thttpd 137 5* internet stream tcp c49e0a40
For Linux you can use 'fuser' as an equivalent: fuser -n tcp 80 returns a list of processes that have TCP port 80 open. 'lsof' ('list of open files') is also suitable for doing this and is available on practially any *nix OS. lsof -n | grep TCP | grep http Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised FBSD/Apache Greg S. Wirth (Nov 17)
- Re: Compromised FBSD/Apache Benjamin Krueger (Nov 19)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
- Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
- Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
- Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- <Possible follow-ups>
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
- increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
- Re: increased attacks on port 2599 H C (Nov 25)
- RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)
- RE: increased attacks on port 2599 H C (Nov 25)
- Re: increased attacks on port 2599 gminick (Nov 25)