Security Incidents mailing list archives

Re: Compromised FBSD/Apache

From: "Thomas C. Meggs" <tom () plik net>
Date: Fri, 22 Nov 2002 11:28:21 -0500

Hi,

Out of curiosity what is the Linux and Solaris equivalents for doingthis? I did a quick check under Linux and didn't see any similarly namedprograms, and the UNIX Rosetta Stone wasn't much help either. Thanks!


Regards,
Tom

Micheal Patterson wrote:


----- Original Message -----
From: "Greg A. Woods"
To: "Greg S. Wirth"
Cc:
Sent: Monday, November 18, 2002 11:49 AM
Subject: Re: Compromised FBSD/Apache



>[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth

wrote: ]

>>Subject: Compromised FBSD/Apache
>>
>>Hello...
>>November 14, 2002 I noticed a service running on port 127/tcp.
>>The box runs only Apache, no SSL.
>>Only open ports before this were 21/22/80
>>PHP was installed 5 days prior to this.
>>PHP runs in safemode.
>>I run netstat -an every morning, which is how I found the issue.
>
>"fstat" is your friend -- it can tell you which process holds the
>listening socket descriptor.  On FreeBSD you have to use 'netstat -aAn'
>first to find the address of the protocol control block (PCB), and then
>grep for that in the output of 'fstat'.  For example:
>
>12:44 [6] $ netstat -aAn | fgrep '*.80'

>c49e0a40 tcp4 0 0 *.80 *.*LISTEN

>12:44 [7] $ fstat | fgrep c49e0a40
>wwwsrvr  thttpd       137    5* internet stream tcp c49e0a40
>
>
>--
>Greg A. Woods
>
>+1 416 218-0098;            ;



>Planix, Inc. ; VE3TCP; Secrets of the Weird



>--------------------------------------------------------------------------

--

>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>


"sockstat" on later versions of FreeBSD will also show you the daemon
running on the port.

micheal@/>sockstat |more
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd     62252    5 tcp4   192.168.1.1:22        192.168.1.2:3777
root     sshd       207    4 tcp4   *:22                  *:*


--

Micheal Patterson
Network Administration
Cancer Care Network



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Compromised FBSD/Apache Greg S. Wirth (Nov 17)
- Re: Compromised FBSD/Apache Benjamin Krueger (Nov 19)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
  - Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
  - Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
    - Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
    - Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
    - Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
    - Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
    - Re: Compromised FBSD/Apache Skip Carter (Nov 25)
    - Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- <Possible follow-ups>
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
  - Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
  - increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
    - Re: increased attacks on port 2599 H C (Nov 25)
    - RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)

(Thread continues...)