Re: Compromised FBSD/Apache

[Skip Carter <skip () taygeta com>]

> Out of curiosity what is the Linux and Solaris equivalents for doing 
> this? I did a quick check under Linux and didn't see any similarly named 
> programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!

> > > "fstat" is your friend -- it can tell you which process holds the
> > > listening socket descriptor.  On FreeBSD you have to use 'netstat -aAn'
> > > first to find the address of the protocol control block (PCB), and then
> > > grep for that in the output of 'fstat'.  For example:
> > >
> > > 12:44 [6] $ netstat -aAn | fgrep '*.80'
> > > c49e0a40 tcp4       0      0  *.80               *.* 
> > LISTEN
> > > 12:44 [7] $ fstat | fgrep c49e0a40
> > > wwwsrvr  thttpd       137    5* internet stream tcp c49e0a40

For Linux you can use 'fuser' as an equivalent:

        fuser -n tcp 80
returns a list of processes that have TCP port 80 open.

'lsof' ('list of open files') is also suitable for doing this and is available 
on practially
any *nix OS.

        lsof -n | grep TCP | grep http



Skip


-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com