Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised FBSD/Apache

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Tue, 19 Nov 2002 22:07:35 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 16 Nov 2002, Greg S. Wirth wrote:


November 14, 2002 I noticed a service running on port 127/tcp.
The box runs only Apache, no SSL.
Only open ports before this were 21/22/80
PHP was installed 5 days prior to this.
PHP runs in safemode.
I run netstat -an every morning, which is how I found the issue.


        If you think your box has been breached, then your use of any
dynamically-linked binaries (like fstat and netstat) is a lost cause. 
Your best bet is to have statically-compiled binaries on read-only media
with which you can survey your system.  For my own part, I use 'lsof -Pni'
to see what's bound to what port.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `------ Lead, follow, or get-out-of the way. ------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE92yarTqL/+mXtpucRAvgLAJ91JVft6L5ZUUi3dgklUPUrtHC9LwCgjtw0
UO2uKTbmL37VoEgZyLgP6Jw=
=AVKt
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: