Re: Compromised FBSD/Apache

From: Thomas C. Meggs (tomat_private)
Date: Fri Nov 22 2002 - 08:28:21 PST

Next message: Moshe Aelion: "Re: Help - a possible bot"

Previous message: Etaoin Shrdlu: "Re: Proxy server hit... Any ideas?"
In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
Next in thread: Jose Nazario: "Re: Compromised FBSD/Apache"
Reply: Jose Nazario: "Re: Compromised FBSD/Apache"
Reply: ePAc: "Re: [CERT] Re: Compromised FBSD/Apache"
Reply: Adam Sampson: "Re: Compromised FBSD/Apache"
Reply: Charles Blackburn: "Re: Compromised FBSD/Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Out of curiosity what is the Linux and Solaris equivalents for doing 
this? I did a quick check under Linux and didn't see any similarly named 
programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!

Regards,
Tom

Micheal Patterson wrote:

>
> ----- Original Message -----
> From: "Greg A. Woods"
> To: "Greg S. Wirth"
> Cc:
> Sent: Monday, November 18, 2002 11:49 AM
> Subject: Re: Compromised FBSD/Apache
>
>
>
> >[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth
>
> wrote: ]
>
> >>Subject: Compromised FBSD/Apache
> >>
> >>Hello...
> >>November 14, 2002 I noticed a service running on port 127/tcp.
> >>The box runs only Apache, no SSL.
> >>Only open ports before this were 21/22/80
> >>PHP was installed 5 days prior to this.
> >>PHP runs in safemode.
> >>I run netstat -an every morning, which is how I found the issue.
> >
> >"fstat" is your friend -- it can tell you which process holds the
> >listening socket descriptor.  On FreeBSD you have to use 'netstat -aAn'
> >first to find the address of the protocol control block (PCB), and then
> >grep for that in the output of 'fstat'.  For example:
> >
> >12:44 [6] $ netstat -aAn | fgrep '*.80'
> >c49e0a40 tcp4       0      0  *.80               *.* 
> LISTEN
> >12:44 [7] $ fstat | fgrep c49e0a40
> >wwwsrvr  thttpd       137    5* internet stream tcp c49e0a40
> >
> >
> >--
> >Greg A. Woods
> >
> >+1 416 218-0098;            ;
>
>
>
> >Planix, Inc. ; VE3TCP; Secrets of the Weird
>
>
>
> >--------------------------------------------------------------------------
>
> --
>
> >This list is provided by the SecurityFocus ARIS analyzer service.
> >For more information on this free incident handling, management
> >and tracking system please see: http://aris.securityfocus.com
> >
>
>
> "sockstat" on later versions of FreeBSD will also show you the daemon
> running on the port.
>
> micheal@/>sockstat |more
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> root     sshd     62252    5 tcp4   192.168.1.1:22        192.168.1.2:3777
> root     sshd       207    4 tcp4   *:22                  *:*
>
>
> --
>
> Micheal Patterson
> Network Administration
> Cancer Care Network
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Moshe Aelion: "Re: Help - a possible bot"
Previous message: Etaoin Shrdlu: "Re: Proxy server hit... Any ideas?"
In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
Next in thread: Jose Nazario: "Re: Compromised FBSD/Apache"
Reply: Jose Nazario: "Re: Compromised FBSD/Apache"
Reply: ePAc: "Re: [CERT] Re: Compromised FBSD/Apache"
Reply: Adam Sampson: "Re: Compromised FBSD/Apache"
Reply: Charles Blackburn: "Re: Compromised FBSD/Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 09:33:39 PST