Compromised FBSD/Apache

From: Greg S. Wirth (greg@beldamar.com)
Date: 11/16/02

  • Next message: Benjamin Krueger: "Re: Compromised FBSD/Apache" 
    Date: Sat, 16 Nov 2002 08:11:44 -0900
From: "Greg S. Wirth" <greg@beldamar.com>
To: incidents@securityfocus.com

    Hello...
    November 14, 2002 I noticed a service running on port 127/tcp.
    The box runs only Apache, no SSL.
    Only open ports before this were 21/22/80
    PHP was installed 5 days prior to this.
    PHP runs in safemode.
    I run netstat -an every morning, which is how I found the issue.
    There were no log entries that showed anything out of the ordinary.
    Users have access to FTP only.
    Connections to port 127 are being blocked by the firewall.
    If anyone would like more information, feel free to contact me.
    Enjoy the day.

    --------------------------------

    httpd 186 root 18u IPv4 0xc82d4600 0t0 TCP *:locus-con (LISTEN)
    httpd 186 root 19u IPv4 0xc82d43e0 0t0 TCP 111-145-58-66-cable.anchorageak.net:http (LISTEN)

    BOX DETAILS:
    # uname -a
    FreeBSD 4.7-STABLE #0: Tue Oct 22 09:09:45 AKDT 2002

    # ./httpd -v
    Server version: Apache/1.3.28-dev (Unix)
    Server built: Nov 10 2002 08:35:06

    # netstat -an
    Active Internet connections (including servers)
    Proto Recv-Q Send-Q Local Address Foreign Address (state)
    tcp4 0 0 66.58.145.111.80 *.* LISTEN
    tcp4 0 0 *.127 *.* LISTEN
    -------------------------------------------------------------------------- 

    -- 
Greg S. Wirth
Anchorage, Alaska
http://rapidfx.org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Re: sshd / ftpd break-in attempts
      ... ]have an actual service running there - an example might be port 123 ... and when the firewall rule ... port is used to unlock the server port, ...
      (comp.os.linux.misc)
    • Re: reading http request raw data as stream
      ... passed to PHP only after the entire request had reached the server. ... A possibility would be to set up a PHP-based server, ... I wouldn't wanna go with any other port rather than 80 in order not ... It just seems logical to me that PHP would support such a flow (like ...
      (comp.lang.php)
    • Re: Session variables are lost, disappear from page to page
      ... MS Windows Server 2003 ... Apache 2.0.63 running on port 8080 ... Nothing wrong with your code or PHP, ... I think it's a PHP bug, but PHP support won't acknowledge it as a bug, ...
      (comp.lang.php)
    • Broken image on Internet, no broken image on intranet
      ... I'm running Windows Server 2003 Standard with IIS 6.0 and php installed. ... with no broken images. ... The only port of the server accessible to the web is ...
      (microsoft.public.inetserver.iis)
    • Re: PHP Email
      ... does relay emails to our mail server. ... It points to a mail server which usually opens port ... Apache server which in turn opens port 80, ... PHP runs underneath Apache, but ...
      (comp.lang.php)