Security Incidents mailing list archives
Re: Compromised FBSD/Apache
From: "Benjamin Krueger" <benjamin () seattlefenix net>
Date: Mon, 18 Nov 2002 05:27:20 -0800
----- Original Message ----- From: "Greg S. Wirth" <greg () beldamar com> To: <incidents () securityfocus com> Sent: Saturday, November 16, 2002 9:11 AM Subject: Compromised FBSD/Apache
Hello... November 14, 2002 I noticed a service running on port 127/tcp. The box runs only Apache, no SSL. Only open ports before this were 21/22/80 PHP was installed 5 days prior to this. PHP runs in safemode. I run netstat -an every morning, which is how I found the issue. There were no log entries that showed anything out of the ordinary. Users have access to FTP only. Connections to port 127 are being blocked by the firewall. If anyone would like more information, feel free to contact me. Enjoy the day.
What process is listening on the port? sockstat | grep ':127' Find out what the process is, who owns it, when it was started, when it was put there, and what its purpose is.
Greg S. Wirth Anchorage, Alaska http://rapidfx.org
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised FBSD/Apache Greg S. Wirth (Nov 17)
- Re: Compromised FBSD/Apache Benjamin Krueger (Nov 19)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
- Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
- Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
- Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- <Possible follow-ups>
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)