Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Compromised FBSD/Apache

From: "Greg S. Wirth" <greg () beldamar com>
Date: Sat, 16 Nov 2002 08:11:44 -0900
Hello...
November 14, 2002 I noticed a service running on port 127/tcp.
The box runs only Apache, no SSL.
Only open ports before this were 21/22/80
PHP was installed 5 days prior to this.
PHP runs in safemode.
I run netstat -an every morning, which is how I found the issue.
There were no log entries that showed anything out of the ordinary.
Users have access to FTP only.
Connections to port 127 are being blocked by the firewall.
If anyone would like more information, feel free to contact me.
Enjoy the day.

--------------------------------

httpd     186   root   18u  IPv4 0xc82d4600        0t0     TCP *:locus-con (LISTEN)
httpd     186   root   19u  IPv4 0xc82d43e0        0t0     TCP 111-145-58-66-cable.anchorageak.net:http (LISTEN)

BOX DETAILS:
# uname -a
FreeBSD 4.7-STABLE #0: Tue Oct 22 09:09:45 AKDT 2002

# ./httpd -v
Server version: Apache/1.3.28-dev (Unix)
Server built:   Nov 10 2002 08:35:06

# netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  66.58.145.111.80       *.*                    LISTEN
tcp4       0      0  *.127                  *.*                    LISTEN
--------------------------------------------------------------------------

-- 
Greg S. Wirth
Anchorage, Alaska
http://rapidfx.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: