Re: Compromised FBSD/Apache

• Previous message: Greg S. Wirth: "Compromised FBSD/Apache"
• In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
• Next in thread: Greg A. Woods: "Re: Compromised FBSD/Apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Benjamin Krueger" <benjamin@seattlefenix.net>
To: "Greg S. Wirth" <greg@beldamar.com>
Date: Mon, 18 Nov 2002 05:27:20 -0800

----- Original Message -----
From: "Greg S. Wirth" <greg@beldamar.com>
To: <incidents@securityfocus.com>
Sent: Saturday, November 16, 2002 9:11 AM
Subject: Compromised FBSD/Apache

> Hello...
> November 14, 2002 I noticed a service running on port 127/tcp.
> The box runs only Apache, no SSL.
> Only open ports before this were 21/22/80
> PHP was installed 5 days prior to this.
> PHP runs in safemode.
> I run netstat -an every morning, which is how I found the issue.
> There were no log entries that showed anything out of the ordinary.
> Users have access to FTP only.
> Connections to port 127 are being blocked by the firewall.
> If anyone would like more information, feel free to contact me.
> Enjoy the day.

What process is listening on the port?

sockstat | grep ':127'

Find out what the process is, who owns it, when it was started, when it was
put there, and what its purpose is.

> Greg S. Wirth
> Anchorage, Alaska
> http://rapidfx.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: Ragnar Paulson: "Fraudulent use of ebay's name"
• Previous message: Greg S. Wirth: "Compromised FBSD/Apache"
• In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
• Next in thread: Greg A. Woods: "Re: Compromised FBSD/Apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]