Re: Compromised FBSD/Apache

[woods () weird com (Greg A. Woods)]

[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth wrote: ]
> Subject: Compromised FBSD/Apache
>
> Hello...
> November 14, 2002 I noticed a service running on port 127/tcp.
> The box runs only Apache, no SSL.
> Only open ports before this were 21/22/80
> PHP was installed 5 days prior to this.
> PHP runs in safemode.
> I run netstat -an every morning, which is how I found the issue.

"fstat" is your friend -- it can tell you which process holds the
listening socket descriptor.  On FreeBSD you have to use 'netstat -aAn'
first to find the address of the protocol control block (PCB), and then
grep for that in the output of 'fstat'.  For example:

12:44 [6] $ netstat -aAn | fgrep '*.80' 
c49e0a40 tcp4       0      0  *.80               *.*                LISTEN
12:44 [7] $ fstat | fgrep c49e0a40      
wwwsrvr  thttpd       137    5* internet stream tcp c49e0a40


-- 
                                                                Greg A. Woods

+1 416 218-0098;            <g.a.woods () ieee org>;           <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com