fuser -v 80/tcp lsof -i tcp:80 netstat -apn | egrep '^tcp.+:80' All these work on a pure debian gnu/linux stable here, and give you at least the pid of the process. fuser is my favorite. BR, Boyan Krosnov, CCIE#8701 http://boyan.ludost.net/ Just another techie speaking for himself > -----Original Message----- > From: Thomas C. Meggs [mailto:tomat_private] > Sent: Friday, November 22, 2002 6:28 PM > To: Micheal Patterson > Cc: incidentsat_private > Subject: Re: Compromised FBSD/Apache > > > Hi, > > Out of curiosity what is the Linux and Solaris equivalents for doing > this? I did a quick check under Linux and didn't see any > similarly named > programs, and the UNIX Rosetta Stone wasn't much help either. Thanks! > > Regards, > Tom > > Micheal Patterson wrote: > > > > > ----- Original Message ----- > > From: "Greg A. Woods" > > To: "Greg S. Wirth" > > Cc: > > Sent: Monday, November 18, 2002 11:49 AM > > Subject: Re: Compromised FBSD/Apache > > > > > > > > >[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth > > > > wrote: ] > > > > >>Subject: Compromised FBSD/Apache > > >> > > >>Hello... > > >>November 14, 2002 I noticed a service running on port 127/tcp. > > >>The box runs only Apache, no SSL. > > >>Only open ports before this were 21/22/80 > > >>PHP was installed 5 days prior to this. > > >>PHP runs in safemode. > > >>I run netstat -an every morning, which is how I found the issue. > > > > > >"fstat" is your friend -- it can tell you which process holds the > > >listening socket descriptor. On FreeBSD you have to use > 'netstat -aAn' > > >first to find the address of the protocol control block > (PCB), and then > > >grep for that in the output of 'fstat'. For example: > > > > > >12:44 [6] $ netstat -aAn | fgrep '*.80' > > >c49e0a40 tcp4 0 0 *.80 *.* > > LISTEN > > >12:44 [7] $ fstat | fgrep c49e0a40 > > >wwwsrvr thttpd 137 5* internet stream tcp c49e0a40 > > > > > > > > >-- > > >Greg A. Woods > > > > > >+1 416 218-0098; ; > > > > > > > > >Planix, Inc. ; VE3TCP; Secrets of the Weird > > > > > > > > > >------------------------------------------------------------- > ------------- > > > > -- > > > > >This list is provided by the SecurityFocus ARIS analyzer service. > > >For more information on this free incident handling, management > > >and tracking system please see: http://aris.securityfocus.com > > > > > > > > > "sockstat" on later versions of FreeBSD will also show you > the daemon > > running on the port. > > > > micheal@/>sockstat |more > > USER COMMAND PID FD PROTO LOCAL ADDRESS > FOREIGN ADDRESS > > root sshd 62252 5 tcp4 192.168.1.1:22 > 192.168.1.2:3777 > > root sshd 207 4 tcp4 *:22 *:* > > > > > > -- > > > > Micheal Patterson > > Network Administration > > Cancer Care Network > > > > > > > > > -------------------------------------------------------------- > -------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 22:03:56 PST