Re: Compromised FBSD/Apache
From: Thomas C. Meggs (tom@plik.net)
Date: 11/22/02
- Previous message: Etaoin Shrdlu: "Re: Proxy server hit... Any ideas?"
- In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
- Next in thread: Jose Nazario: "Re: Compromised FBSD/Apache"
- Reply: Jose Nazario: "Re: Compromised FBSD/Apache"
- Reply: ePAc: "Re: [CERT] Re: Compromised FBSD/Apache"
- Reply: Adam Sampson: "Re: Compromised FBSD/Apache"
- Reply: Charles Blackburn: "Re: Compromised FBSD/Apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Nov 2002 11:28:21 -0500 From: "Thomas C. Meggs" <tom@plik.net> To: Micheal Patterson <micheal@cancercare.net>
Hi,
Out of curiosity what is the Linux and Solaris equivalents for doing
this? I did a quick check under Linux and didn't see any similarly named
programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!
Regards,
Tom
Micheal Patterson wrote:
>
> ----- Original Message -----
> From: "Greg A. Woods"
> To: "Greg S. Wirth"
> Cc:
> Sent: Monday, November 18, 2002 11:49 AM
> Subject: Re: Compromised FBSD/Apache
>
>
>
> >[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth
>
> wrote: ]
>
> >>Subject: Compromised FBSD/Apache
> >>
> >>Hello...
> >>November 14, 2002 I noticed a service running on port 127/tcp.
> >>The box runs only Apache, no SSL.
> >>Only open ports before this were 21/22/80
> >>PHP was installed 5 days prior to this.
> >>PHP runs in safemode.
> >>I run netstat -an every morning, which is how I found the issue.
> >
> >"fstat" is your friend -- it can tell you which process holds the
> >listening socket descriptor. On FreeBSD you have to use 'netstat -aAn'
> >first to find the address of the protocol control block (PCB), and then
> >grep for that in the output of 'fstat'. For example:
> >
> >12:44 [6] $ netstat -aAn | fgrep '*.80'
> >c49e0a40 tcp4 0 0 *.80 *.*
> LISTEN
> >12:44 [7] $ fstat | fgrep c49e0a40
> >wwwsrvr thttpd 137 5* internet stream tcp c49e0a40
> >
> >
> >--
> >Greg A. Woods
> >
> >+1 416 218-0098; ;
>
>
>
> >Planix, Inc. ; VE3TCP; Secrets of the Weird
>
>
>
> >--------------------------------------------------------------------------
>
> --
>
> >This list is provided by the SecurityFocus ARIS analyzer service.
> >For more information on this free incident handling, management
> >and tracking system please see: http://aris.securityfocus.com
> >
>
>
> "sockstat" on later versions of FreeBSD will also show you the daemon
> running on the port.
>
> micheal@/>sockstat |more
> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
> root sshd 62252 5 tcp4 192.168.1.1:22 192.168.1.2:3777
> root sshd 207 4 tcp4 *:22 *:*
>
>
> --
>
> Micheal Patterson
> Network Administration
> Cancer Care Network
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Moshe Aelion: "Re: Help - a possible bot"
- Previous message: Etaoin Shrdlu: "Re: Proxy server hit... Any ideas?"
- In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
- Next in thread: Jose Nazario: "Re: Compromised FBSD/Apache"
- Reply: Jose Nazario: "Re: Compromised FBSD/Apache"
- Reply: ePAc: "Re: [CERT] Re: Compromised FBSD/Apache"
- Reply: Adam Sampson: "Re: Compromised FBSD/Apache"
- Reply: Charles Blackburn: "Re: Compromised FBSD/Apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
