('binary' encoding is not supported, stored as-is) In-Reply-To: <138174789994.20021116081144at_private> Do this #fstat | grep internet | grep 127 and see what it show you.... You can see wath binary is bind to this port, and view wich user is running it too Then is recomended do #fstat | grep internet And take a look for all Listen and Established communications Netstat may be a compromised file... Bye Bye -H >Hello... >November 14, 2002 I noticed a service running on port 127/tcp. >The box runs only Apache, no SSL. >Only open ports before this were 21/22/80 >PHP was installed 5 days prior to this. >PHP runs in safemode. >I run netstat -an every morning, which is how I found the issue. >There were no log entries that showed anything out of the ordinary. >Users have access to FTP only. >Connections to port 127 are being blocked by the firewall. >If anyone would like more information, feel free to contact me. >Enjoy the day. > >-------------------------------- > >httpd 186 root 18u IPv4 0xc82d4600 0t0 TCP *:locus-con (LISTEN) >httpd 186 root 19u IPv4 0xc82d43e0 0t0 TCP 111-145-58-66-cable.anchorageak.net:http (LISTEN) > >BOX DETAILS: ># uname -a >FreeBSD 4.7-STABLE #0: Tue Oct 22 09:09:45 AKDT 2002 > ># ./httpd -v >Server version: Apache/1.3.28-dev (Unix) >Server built: Nov 10 2002 08:35:06 > ># netstat -an >Active Internet connections (including servers) >Proto Recv-Q Send-Q Local Address Foreign Address (state) >tcp4 0 0 66.58.145.111.80 *.* LISTEN >tcp4 0 0 *.127 *.* LISTEN ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 11:26:12 PST