Re: Compromised FBSD/Apache

• Previous message: Mike Cain: "Proxy server hit... Any ideas?"
• In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
• Next in thread: Jay D. Dyson: "Re: Compromised FBSD/Apache"
• Reply: Micheal Patterson: "Re: Compromised FBSD/Apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: woods@weird.com (Greg A. Woods)
To: "Greg S. Wirth" <greg@beldamar.com>
Date: Mon, 18 Nov 2002 12:49:09 -0500 (EST)

[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth wrote: ]
> Subject: Compromised FBSD/Apache
>
> Hello...
> November 14, 2002 I noticed a service running on port 127/tcp.
> The box runs only Apache, no SSL.
> Only open ports before this were 21/22/80
> PHP was installed 5 days prior to this.
> PHP runs in safemode.
> I run netstat -an every morning, which is how I found the issue.

"fstat" is your friend -- it can tell you which process holds the
listening socket descriptor. On FreeBSD you have to use 'netstat -aAn'
first to find the address of the protocol control block (PCB), and then
grep for that in the output of 'fstat'. For example:

12:44 [6] $ netstat -aAn | fgrep '*.80'
c49e0a40 tcp4 0 0 *.80 *.* LISTEN
12:44 [7] $ fstat | fgrep c49e0a40
wwwsrvr thttpd 137 5* internet stream tcp c49e0a40

-- 
								Greg A. Woods
+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Oliver Friedrichs: "DeepSight Analyzer 4.0 Announcement"
• Previous message: Mike Cain: "Proxy server hit... Any ideas?"
• In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
• Next in thread: Jay D. Dyson: "Re: Compromised FBSD/Apache"
• Reply: Micheal Patterson: "Re: Compromised FBSD/Apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Wnidows Server 2003 - I need help in getting the Connection Co ... command if already running. ... it fires off the netstat command for you, sending the results from that to ... another file which your PHP process can access. ... requires administator access we are get file permison problems - ANY IDEAS ... (microsoft.public.windowsmedia.server) RE: php module for apache not working ... And you are not newbie. ... Download PHP Source ... Do you thin a newbie would understand that? ... I asked him to 'netstat -taupe' before. ... (Ubuntu) Re: Multithreading for standalone php ... I'm working on a project that will need to connect to 2 different servers and to speed things up (being ssl) I was hoping to be able to do this simultaneously. ... I need my web visitor to hit a button and be able to enter information on another server while at the same time my system is looking up data ... Would this be the sort of thing possible with PHP or would it have to use threads? ... You probably could still spawn a C/C++ program to do the database work, but I'm not sure it's worth the extra effort and complications. ... (comp.lang.php) Re: PHP and SSL Path Reference ... > I am trying to implement SSL with PHP. ... > script works fine. ... > script does display the contents of the reference. ... (php.general) Re: fread using 99% CPU in Windows with SSL Connection ... I've tried upgrading PHP ... When you run pingtimer.php using SSL, ... When you run it using clean sockets, ... decrypt the SSL data ... (comp.lang.php)