RE: Compromised FBSD/Apache

From: Boyan Krosnov (bkrosnov@lirex.bg)
Date: 11/25/02

Next message: Skip Carter: "Re: Compromised FBSD/Apache"

Previous message: Adam Sampson: "Re: Compromised FBSD/Apache"
Maybe in reply to: Greg S. Wirth: "Compromised FBSD/Apache"
Next in thread: Skip Carter: "Re: Compromised FBSD/Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 25 Nov 2002 20:10:16 +0200
From: "Boyan Krosnov" <bkrosnov@lirex.bg>
To: <incidents@securityfocus.com>

fuser -v 80/tcp
lsof -i tcp:80
netstat -apn | egrep '^tcp.+:80'

All these work on a pure debian gnu/linux stable here, and give you at
least the pid of the process. fuser is my favorite.

BR,
Boyan Krosnov, CCIE#8701
http://boyan.ludost.net/
Just another techie speaking for himself

> -----Original Message-----
> From: Thomas C. Meggs [mailto:tom@plik.net]
> Sent: Friday, November 22, 2002 6:28 PM
> To: Micheal Patterson
> Cc: incidents@securityfocus.com
> Subject: Re: Compromised FBSD/Apache
>
>
> Hi,
>
> Out of curiosity what is the Linux and Solaris equivalents for doing
> this? I did a quick check under Linux and didn't see any
> similarly named
> programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!
>
> Regards,
> Tom
>
> Micheal Patterson wrote:
>
> >
> > ----- Original Message -----
> > From: "Greg A. Woods"
> > To: "Greg S. Wirth"
> > Cc:
> > Sent: Monday, November 18, 2002 11:49 AM
> > Subject: Re: Compromised FBSD/Apache
> >
> >
> >
> > >[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth
> >
> > wrote: ]
> >
> > >>Subject: Compromised FBSD/Apache
> > >>
> > >>Hello...
> > >>November 14, 2002 I noticed a service running on port 127/tcp.
> > >>The box runs only Apache, no SSL.
> > >>Only open ports before this were 21/22/80
> > >>PHP was installed 5 days prior to this.
> > >>PHP runs in safemode.
> > >>I run netstat -an every morning, which is how I found the issue.
> > >
> > >"fstat" is your friend -- it can tell you which process holds the
> > >listening socket descriptor. On FreeBSD you have to use
> 'netstat -aAn'
> > >first to find the address of the protocol control block
> (PCB), and then
> > >grep for that in the output of 'fstat'. For example:
> > >
> > >12:44 [6] $ netstat -aAn | fgrep '*.80'
> > >c49e0a40 tcp4 0 0 *.80 *.*
> > LISTEN
> > >12:44 [7] $ fstat | fgrep c49e0a40
> > >wwwsrvr thttpd 137 5* internet stream tcp c49e0a40
> > >
> > >
> > >--
> > >Greg A. Woods
> > >
> > >+1 416 218-0098; ;
> >
> >
> >
> > >Planix, Inc. ; VE3TCP; Secrets of the Weird
> >
> >
> >
> >
> >-------------------------------------------------------------
> -------------
> >
> > --
> >
> > >This list is provided by the SecurityFocus ARIS analyzer service.
> > >For more information on this free incident handling, management
> > >and tracking system please see: http://aris.securityfocus.com
> > >
> >
> >
> > "sockstat" on later versions of FreeBSD will also show you
> the daemon
> > running on the port.
> >
> > micheal@/>sockstat |more
> > USER COMMAND PID FD PROTO LOCAL ADDRESS
> FOREIGN ADDRESS
> > root sshd 62252 5 tcp4 192.168.1.1:22
> 192.168.1.2:3777
> > root sshd 207 4 tcp4 *:22 *:*
> >
> >
> > --
> >
> > Micheal Patterson
> > Network Administration
> > Cancer Care Network
> >
> >
> >
> >
> --------------------------------------------------------------
> --------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Skip Carter: "Re: Compromised FBSD/Apache"
Previous message: Adam Sampson: "Re: Compromised FBSD/Apache"
Maybe in reply to: Greg S. Wirth: "Compromised FBSD/Apache"
Next in thread: Skip Carter: "Re: Compromised FBSD/Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [CERT] Re: Compromised FBSD/Apache
... >>>This list is provided by the SecurityFocus ARIS analyzer service. ... >>>For more information on this free incident handling, management ...
(Incidents)
RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update
... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ...
(Incidents)
Re: Strange web request
... >> This list is provided by the SecurityFocus ARIS analyzer service. ... >> For more information on this free incident handling, management ...
(Incidents)
Re: Rooted, .haos on system
... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ...
(Incidents)
RE: Please tell me Im wrong: microsoft.com infected
... >>- This list is provided by the SecurityFocus ARIS analyzer service. ... >> For more information on this free incident handling, management ...
(Incidents)