Security Incidents mailing list archives
RE: Compromised FBSD/Apache
From: "Boyan Krosnov" <bkrosnov () lirex bg>
Date: Mon, 25 Nov 2002 20:10:16 +0200
fuser -v 80/tcp lsof -i tcp:80 netstat -apn | egrep '^tcp.+:80' All these work on a pure debian gnu/linux stable here, and give you at least the pid of the process. fuser is my favorite. BR, Boyan Krosnov, CCIE#8701 http://boyan.ludost.net/ Just another techie speaking for himself
-----Original Message----- From: Thomas C. Meggs [mailto:tom () plik net] Sent: Friday, November 22, 2002 6:28 PM To: Micheal Patterson Cc: incidents () securityfocus com Subject: Re: Compromised FBSD/Apache Hi, Out of curiosity what is the Linux and Solaris equivalents for doing this? I did a quick check under Linux and didn't see any similarly named programs, and the UNIX Rosetta Stone wasn't much help either. Thanks! Regards, Tom Micheal Patterson wrote:----- Original Message ----- From: "Greg A. Woods" To: "Greg S. Wirth" Cc: Sent: Monday, November 18, 2002 11:49 AM Subject: Re: Compromised FBSD/Apache[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirthwrote: ]Subject: Compromised FBSD/Apache Hello... November 14, 2002 I noticed a service running on port 127/tcp. The box runs only Apache, no SSL. Only open ports before this were 21/22/80 PHP was installed 5 days prior to this. PHP runs in safemode. I run netstat -an every morning, which is how I found the issue."fstat" is your friend -- it can tell you which process holds the listening socket descriptor. On FreeBSD you have to use'netstat -aAn'first to find the address of the protocol control block(PCB), and thengrep for that in the output of 'fstat'. For example: 12:44 [6] $ netstat -aAn | fgrep '*.80' c49e0a40 tcp4 0 0 *.80 *.*LISTEN12:44 [7] $ fstat | fgrep c49e0a40 wwwsrvr thttpd 137 5* internet stream tcp c49e0a40 -- Greg A. Woods +1 416 218-0098; ;Planix, Inc. ; VE3TCP; Secrets of the Weird----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com"sockstat" on later versions of FreeBSD will also show youthe daemonrunning on the port. micheal@/>sockstat |more USER COMMAND PID FD PROTO LOCAL ADDRESSFOREIGN ADDRESSroot sshd 62252 5 tcp4 192.168.1.1:22192.168.1.2:3777root sshd 207 4 tcp4 *:22 *:* -- Micheal Patterson Network Administration Cancer Care Network-------------------------------------------------------------- --------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Compromised FBSD/Apache, (continued)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
- increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
- Re: increased attacks on port 2599 H C (Nov 25)
- RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)
- RE: increased attacks on port 2599 H C (Nov 25)
- Re: increased attacks on port 2599 gminick (Nov 25)