Security Incidents mailing list archives
Re: Compromised FBSD/Apache
From: "D.C. van Moolenbroek" <xanadu () chello nl>
Date: Wed, 20 Nov 2002 23:22:44 +0100
"Hernan Otero" wrote:
Do this #fstat | grep internet | grep 127 and see what it show you.... You can see wath binary is bind to this port, and view wich user is
running it too
Then is recomended do #fstat | grep internet And take a look for all Listen and Established communications Netstat may be a compromised file...
yes, and fstat may have been replaced just as well, so it wouldn't really make sense to trust one binary more than the other, would it? and even with binaries taken from a read-only medium, you are not guaranteed to get accurate information from the kernel... but besides that, did you notice that the OP already included the requested piece of information in his mail? acquired from lsof and not from fstat apparently, but it clearly indicates that it's the httpd process that owns the socket on 127/tcp, which is listed as locus-con in /etc/services. to return to the OP's question (if there ever was one?), just a guess: someone could have uploaded and run a PHP script that opened the listening port, possibly providing some kind of shell-functionality. I don't know PHP well enough when it comes to things like dropping priviledges, but it seems to me that running apache as root is always a bad idea... regards, David -- class sig{static void main(String[]s){for// D.C. van Moolenbroek (int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL) "Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Compromised FBSD/Apache, (continued)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Jay D. Dyson (Nov 21)
- Re: Compromised FBSD/Apache Micheal Patterson (Nov 22)
- Re: Compromised FBSD/Apache Thomas C. Meggs (Nov 25)
- Re: Compromised FBSD/Apache Jose Nazario (Nov 25)
- Re: [CERT] Re: Compromised FBSD/Apache ePAc (Nov 25)
- Re: Compromised FBSD/Apache Adam Sampson (Nov 25)
- Re: Compromised FBSD/Apache Skip Carter (Nov 25)
- Re: Compromised FBSD/Apache Charles Blackburn (Nov 25)
- Re: Compromised FBSD/Apache Greg A. Woods (Nov 19)
- Re: Compromised FBSD/Apache Hernan Otero (Nov 20)
- Re: Compromised FBSD/Apache D.C. van Moolenbroek (Nov 21)
- increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 22)
- Re: increased attacks on port 2599 H C (Nov 25)
- RE: increased attacks on port 2599 Esler, Joel -- Sytex Contractor (Nov 25)
- RE: increased attacks on port 2599 H C (Nov 25)
- Re: increased attacks on port 2599 gminick (Nov 25)