Re: Compromised FBSD/Apache
From: Micheal Patterson (micheal@cancercare.net)
Date: 11/20/02
- Previous message: ZeroBreak: "RE: Proxy server hit... Any ideas?"
- In reply to: Greg A. Woods: "Re: Compromised FBSD/Apache"
- Next in thread: Hernan Otero: "Re: Compromised FBSD/Apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Micheal Patterson" <micheal@cancercare.net> To: <incidents@securityfocus.com> Date: Tue, 19 Nov 2002 23:32:58 -0600
----- Original Message -----
From: "Greg A. Woods" <woods@weird.com>
To: "Greg S. Wirth" <greg@beldamar.com>
Cc: <incidents@securityfocus.com>
Sent: Monday, November 18, 2002 11:49 AM
Subject: Re: Compromised FBSD/Apache
> [ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth
wrote: ]
> > Subject: Compromised FBSD/Apache
> >
> > Hello...
> > November 14, 2002 I noticed a service running on port 127/tcp.
> > The box runs only Apache, no SSL.
> > Only open ports before this were 21/22/80
> > PHP was installed 5 days prior to this.
> > PHP runs in safemode.
> > I run netstat -an every morning, which is how I found the issue.
>
> "fstat" is your friend -- it can tell you which process holds the
> listening socket descriptor. On FreeBSD you have to use 'netstat -aAn'
> first to find the address of the protocol control block (PCB), and then
> grep for that in the output of 'fstat'. For example:
>
> 12:44 [6] $ netstat -aAn | fgrep '*.80'
> c49e0a40 tcp4 0 0 *.80 *.* LISTEN
> 12:44 [7] $ fstat | fgrep c49e0a40
> wwwsrvr thttpd 137 5* internet stream tcp c49e0a40
>
>
> --
> Greg A. Woods
>
> +1 416 218-0098; <g.a.woods@ieee.org>;
<woods@robohack.ca>
> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird
<woods@weird.com>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > "sockstat" on later versions of FreeBSD will also show you the daemon running on the port. micheal@/>sockstat |more USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 62252 5 tcp4 192.168.1.1:22 192.168.1.2:3777 root sshd 207 4 tcp4 *:22 *:* -- Micheal Patterson Network Administration Cancer Care Network ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
- Previous message: ZeroBreak: "RE: Proxy server hit... Any ideas?"
- In reply to: Greg A. Woods: "Re: Compromised FBSD/Apache"
- Next in thread: Hernan Otero: "Re: Compromised FBSD/Apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
