Re: Compromised FBSD/Apache

[Hernan Otero <bazhgo () techint net>]

In-Reply-To: <138174789994.20021116081144 () beldamar com>

Do this

#fstat | grep internet | grep 127

and see what it show you....

You can see wath binary is bind to this port, and  view wich user is running it too

Then is recomended do 

#fstat | grep internet 

And take a look for all Listen and Established communications

Netstat may be a compromised file...

Bye Bye

-H



> Hello...
> November 14, 2002 I noticed a service running on port 127/tcp.
> The box runs only Apache, no SSL.
> Only open ports before this were 21/22/80
> PHP was installed 5 days prior to this.
> PHP runs in safemode.
> I run netstat -an every morning, which is how I found the issue.
> There were no log entries that showed anything out of the ordinary.
> Users have access to FTP only.
> Connections to port 127 are being blocked by the firewall.
> If anyone would like more information, feel free to contact me.
> Enjoy the day.
>
> --------------------------------
>
> httpd     186   root   18u  IPv4 0xc82d4600        0t0     TCP *:locus-con (LISTEN)
> httpd     186   root   19u  IPv4 0xc82d43e0        0t0     TCP 111-145-58-66-cable.anchorageak.net:http (LISTEN)
>
> BOX DETAILS:
> # uname -a
> FreeBSD 4.7-STABLE #0: Tue Oct 22 09:09:45 AKDT 2002
>
> # ./httpd -v
> Server version: Apache/1.3.28-dev (Unix)
> Server built:   Nov 10 2002 08:35:06
>
> # netstat -an
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
> tcp4       0      0  66.58.145.111.80       *.*                    LISTEN
> tcp4       0      0  *.127                  *.*                    LISTEN

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com