Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised FBSD/Apache

From: "Benjamin Krueger" <benjamin () seattlefenix net>
Date: Mon, 18 Nov 2002 05:27:20 -0800
----- Original Message -----
From: "Greg S. Wirth" <greg () beldamar com>
To: <incidents () securityfocus com>
Sent: Saturday, November 16, 2002 9:11 AM
Subject: Compromised FBSD/Apache



Hello...
November 14, 2002 I noticed a service running on port 127/tcp.
The box runs only Apache, no SSL.
Only open ports before this were 21/22/80
PHP was installed 5 days prior to this.
PHP runs in safemode.
I run netstat -an every morning, which is how I found the issue.
There were no log entries that showed anything out of the ordinary.
Users have access to FTP only.
Connections to port 127 are being blocked by the firewall.
If anyone would like more information, feel free to contact me.
Enjoy the day.


What process is listening on the port?

sockstat | grep ':127'

Find out what the process is, who owns it, when it was started, when it was
put there, and what its purpose is.


Greg S. Wirth
Anchorage, Alaska
http://rapidfx.org



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: