----- Original Message ----- From: "Greg S. Wirth" <gregat_private> To: <incidentsat_private> Sent: Saturday, November 16, 2002 9:11 AM Subject: Compromised FBSD/Apache > Hello... > November 14, 2002 I noticed a service running on port 127/tcp. > The box runs only Apache, no SSL. > Only open ports before this were 21/22/80 > PHP was installed 5 days prior to this. > PHP runs in safemode. > I run netstat -an every morning, which is how I found the issue. > There were no log entries that showed anything out of the ordinary. > Users have access to FTP only. > Connections to port 127 are being blocked by the firewall. > If anyone would like more information, feel free to contact me. > Enjoy the day. What process is listening on the port? sockstat | grep ':127' Find out what the process is, who owns it, when it was started, when it was put there, and what its purpose is. > Greg S. Wirth > Anchorage, Alaska > http://rapidfx.org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 10:30:40 PST