Security Incidents mailing list archives
Re: [CERT] Re: Compromised FBSD/Apache
From: ePAc <epac () korigan net>
Date: Mon, 25 Nov 2002 10:11:22 -0800 (PST)
lsof would be able to show you the neccessary output. It will give you files that are open, their "State" and what the process name is, as well as their PID (and you can figure out the path with something like "ps auxwww | grep $PID" Here is a sample output of lsof (edited for content): -- COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME dhcpcd 49 root cwd DIR 3,2 4096 2 / dhcpcd 49 root rtd DIR 3,2 4096 2 / dhcpcd 49 root txt REG 3,2 32480 1669996 /sbin/dhcpcd dhcpcd 49 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so dhcpcd 49 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so dhcpcd 49 root 0u CHR 1,3 360205 /dev/null dhcpcd 49 root 1u CHR 1,3 360205 /dev/null dhcpcd 49 root 2u CHR 1,3 360205 /dev/null dhcpcd 49 root 3u sock 0,0 40 can't identify protocol dhcpcd 49 root 4u IPv4 41 UDP *:bootpc dhcpcd 49 root 5u unix 0xcf0d4a90 1685 socket sshd 70 root cwd DIR 3,2 4096 2 / sshd 70 root rtd DIR 3,2 4096 2 / sshd 70 root txt REG 3,2 290208 2226684 /usr/sbin/sshd sshd 70 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so sshd 70 root mem REG 3,2 43172 33078 /lib/libutil-2.2.5.so sshd 70 root mem REG 3,2 55668 589606 /usr/lib/libz.so.1.1.4 sshd 70 root mem REG 3,2 353351 33065 /lib/libnsl-2.2.5.so sshd 70 root mem REG 3,2 757368 589303 /usr/lib/libcrypto.so.0.9.6 sshd 70 root mem REG 3,2 70355 33058 /lib/libcrypt-2.2.5.so sshd 70 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so sshd 70 root mem REG 3,2 61247 33062 /lib/libdl-2.2.5.so sshd 70 root 0u CHR 1,3 360205 /dev/null sshd 70 root 1u CHR 1,3 360205 /dev/null sshd 70 root 2u CHR 1,3 360205 /dev/null sshd 70 root 3u IPv4 76 TCP *:ssh (LISTEN) <... SNIP ...> dhcpd 178 root cwd DIR 3,2 4096 1735010 /root dhcpd 178 root rtd DIR 3,2 4096 2 / dhcpd 178 root txt REG 3,2 464340 2226663 /usr/sbin/dhcpd dhcpd 178 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so dhcpd 178 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so dhcpd 178 root mem REG 3,2 18756 33067 /lib/libnss_db-2.2.so dhcpd 178 root mem REG 3,2 233089 33069 /lib/libnss_files-2.2.5.so dhcpd 178 root mem REG 3,2 494600 33059 /lib/libdb-3.1.so dhcpd 178 root 0w REG 3,2 1510 1212044 /var/state/dhcp/dhcpd.leases dhcpd 178 root 3u unix 0xcedba0a0 197 socket dhcpd 178 root 4u raw 198 00000000:0001->00000000:0000 st=07 dhcpd 178 root 7u IPv4 201 UDP *:bootps <... SNIP ...> lsof 2369 root cwd DIR 3,2 4096 1735010 /root lsof 2369 root rtd DIR 3,2 4096 2 / lsof 2369 root txt REG 3,2 89712 556931 /usr/bin/lsof lsof 2369 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so lsof 2369 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so lsof 2369 root 0u CHR 4,2 360329 /dev/tty2 lsof 2369 root 1w REG 3,2 0 1735946 /root/lsof.output lsof 2369 root 2u CHR 4,2 360329 /dev/tty2 lsof 2369 root 3r DIR 0,3 0 1 /proc lsof 2369 root 4r DIR 0,3 0 155254792 /proc/2369/fd lsof 2369 root 5w FIFO 0,6 12122 pipe lsof 2369 root 6r FIFO 0,6 12123 pipe lsof 2370 root cwd DIR 3,2 4096 1735010 /root lsof 2370 root rtd DIR 3,2 4096 2 / lsof 2370 root txt REG 3,2 89712 556931 /usr/bin/lsof lsof 2370 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so lsof 2370 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so lsof 2370 root 4r FIFO 0,6 12122 pipe lsof 2370 root 7w FIFO 0,6 12123 pipe I hope this helps... Jok On Fri, 22 Nov 2002, Thomas C. Meggs wrote:
Date: Fri, 22 Nov 2002 11:28:21 -0500 From: Thomas C. Meggs <tom () plik net> To: Micheal Patterson <micheal () cancercare net> Cc: incidents () securityfocus com Subject: [CERT] Re: Compromised FBSD/Apache Hi, Out of curiosity what is the Linux and Solaris equivalents for doing this? I did a quick check under Linux and didn't see any similarly named programs, and the UNIX Rosetta Stone wasn't much help either. Thanks! Regards, Tom Micheal Patterson wrote:----- Original Message ----- From: "Greg A. Woods" To: "Greg S. Wirth" Cc: Sent: Monday, November 18, 2002 11:49 AM Subject: Re: Compromised FBSD/Apache[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirthwrote: ]Subject: Compromised FBSD/Apache Hello... November 14, 2002 I noticed a service running on port 127/tcp. The box runs only Apache, no SSL. Only open ports before this were 21/22/80 PHP was installed 5 days prior to this. PHP runs in safemode. I run netstat -an every morning, which is how I found the issue."fstat" is your friend -- it can tell you which process holds the listening socket descriptor. On FreeBSD you have to use 'netstat -aAn' first to find the address of the protocol control block (PCB), and then grep for that in the output of 'fstat'. For example: 12:44 [6] $ netstat -aAn | fgrep '*.80' c49e0a40 tcp4 0 0 *.80 *.*LISTEN12:44 [7] $ fstat | fgrep c49e0a40 wwwsrvr thttpd 137 5* internet stream tcp c49e0a40 -- Greg A. Woods +1 416 218-0098; ;Planix, Inc. ; VE3TCP; Secrets of the Weird----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com"sockstat" on later versions of FreeBSD will also show you the daemon running on the port. micheal@/>sockstat |more USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 62252 5 tcp4 192.168.1.1:22 192.168.1.2:3777 root sshd 207 4 tcp4 *:22 *:* -- Micheal Patterson Network Administration Cancer Care Network ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
--- Nothing is foolproof to a sufficiently talented fool... oo ,(..)\ ~~ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised FBSD/Apache Greg S. Wirth (Nov 17)
- Re: Compromised FBSD/Apache Benjamin Krueger (Nov 19)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
- Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
- Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
- Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- <Possible follow-ups>
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
- increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
- Re: increased attacks on port 2599 H C (Nov 25)
- RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)
- RE: increased attacks on port 2599 H C (Nov 25)
- Re: increased attacks on port 2599 gminick (Nov 25)