Security Incidents mailing list archives
Re: Compromised FBSD/Apache
From: woods () weird com (Greg A. Woods)
Date: Mon, 18 Nov 2002 12:49:09 -0500 (EST)
[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth wrote: ]
Subject: Compromised FBSD/Apache Hello... November 14, 2002 I noticed a service running on port 127/tcp. The box runs only Apache, no SSL. Only open ports before this were 21/22/80 PHP was installed 5 days prior to this. PHP runs in safemode. I run netstat -an every morning, which is how I found the issue.
"fstat" is your friend -- it can tell you which process holds the listening socket descriptor. On FreeBSD you have to use 'netstat -aAn' first to find the address of the protocol control block (PCB), and then grep for that in the output of 'fstat'. For example: 12:44 [6] $ netstat -aAn | fgrep '*.80' c49e0a40 tcp4 0 0 *.80 *.* LISTEN 12:44 [7] $ fstat | fgrep c49e0a40 wwwsrvr thttpd 137 5* internet stream tcp c49e0a40 -- Greg A. Woods +1 416 218-0098; <g.a.woods () ieee org>; <woods () robohack ca> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised FBSD/Apache Greg S. Wirth (Nov 17)
- Re: Compromised FBSD/Apache Benjamin Krueger (Nov 19)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
- Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
- Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
- Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- <Possible follow-ups>
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)