Re: Compromised FBSD/Apache

["D.C. van Moolenbroek" <xanadu () chello nl>]

"Hernan Otero" wrote:
> Do this
>
> #fstat | grep internet | grep 127
>
> and see what it show you....
>
> You can see wath binary is bind to this port, and  view wich user is
running it too
> Then is recomended do
>
> #fstat | grep internet
>
> And take a look for all Listen and Established communications
>
> Netstat may be a compromised file...

yes, and fstat may have been replaced just as well, so it wouldn't really
make sense to trust one binary more than the other, would it? and even with
binaries taken from a read-only medium, you are not guaranteed to get
accurate information from the kernel...

but besides that, did you notice that the OP already included the requested
piece of information in his mail? acquired from lsof and not from fstat
apparently, but it clearly indicates that it's the httpd process that owns
the socket on 127/tcp, which is listed as locus-con in /etc/services.

to return to the OP's question (if there ever was one?), just a guess:
someone could have uploaded and run a PHP script that opened the listening
port, possibly providing some kind of shell-functionality. I don't know PHP
well enough when it comes to things like dropping priviledges, but it seems
to me that running apache as root is always a bad idea...

regards,

David

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com