Re: Compromised FBSD/Apache

From: Hernan Otero (bazhgo@techint.net)
Date: 11/18/02

  • Next message: Valdis.Kletnieks@vt.edu: "Re: Proxy server hit... Any ideas?" 
    Date: 18 Nov 2002 13:03:05 -0000
From: Hernan Otero <bazhgo@techint.net>
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <138174789994.20021116081144@beldamar.com>

    Do this

    #fstat | grep internet | grep 127

    and see what it show you....

    You can see wath binary is bind to this port, and view wich user is running it too

    Then is recomended do

    #fstat | grep internet

    And take a look for all Listen and Established communications

    Netstat may be a compromised file...

    Bye Bye

    -H

    >Hello...
    >November 14, 2002 I noticed a service running on port 127/tcp.
    >The box runs only Apache, no SSL.
    >Only open ports before this were 21/22/80
    >PHP was installed 5 days prior to this.
    >PHP runs in safemode.
    >I run netstat -an every morning, which is how I found the issue.
    >There were no log entries that showed anything out of the ordinary.
    >Users have access to FTP only.
    >Connections to port 127 are being blocked by the firewall.
    >If anyone would like more information, feel free to contact me.
    >Enjoy the day.
    >
    >--------------------------------
    >
    >httpd 186 root 18u IPv4 0xc82d4600 0t0 TCP *:locus-con (LISTEN)
    >httpd 186 root 19u IPv4 0xc82d43e0 0t0 TCP 111-145-58-66-cable.anchorageak.net:http (LISTEN)
    >
    >BOX DETAILS:
    ># uname -a
    >FreeBSD 4.7-STABLE #0: Tue Oct 22 09:09:45 AKDT 2002
    >
    ># ./httpd -v
    >Server version: Apache/1.3.28-dev (Unix)
    >Server built: Nov 10 2002 08:35:06
    >
    ># netstat -an
    >Active Internet connections (including servers)
    >Proto Recv-Q Send-Q Local Address Foreign Address (state)
    >tcp4 0 0 66.58.145.111.80 *.* LISTEN
    >tcp4 0 0 *.127 *.* LISTEN

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap:
      ... assuming netstat wasn't one of the programs ... listed there for port 1313 correspond to the PIDs chkproc spit out. ... all your services while you upgrade all the software that needs upgrading. ... > Every week or so I'll run chkrootkit, mostly just because I feel I ...
      (comp.os.linux.security)
    • RE: I think Ive been hacked...please help!
      ... > connecting within seconds of boot. ... port scanning the machine from the outside ... experience performing incident response activities, ... one will run netstat and see something listening on ...
      (Incidents)
    • Re: Help, my machine has been hacked
      ... >> also take a look at processes running in your system, ... >> opened (netstat -tupan), environment changesetc. ... If you provide port 80 to the outside ... filter invalid packets, in particular tcp scans with invalid flags, where ...
      (comp.os.linux.security)
    • Re: Detecting Internet activity
      ... connection and then use netstat tool to confirm whether or not the relevant ... port is 20 or 21. ... Title: Enhance netstat ... >- when I open a FTP connection, none of the listed ports match the ...
      (microsoft.public.win32.programmer.networks)
    • Re: Hidden windows ports, files and services.
      ... You need to get those processes that have port 21 open) ... so they will display in the regular task manager list by cleaning out ... whatever is hiding them, then determine what it was hiding. ... too sloppy to hide the port from netstat too. ...
      (Security-Basics)