|
Security Incidents
mailing list archives
Re: Compromised FBSD/Apache
From: "D.C. van Moolenbroek" <xanadu () chello nl>
Date: Wed, 20 Nov 2002 23:22:44 +0100
"Hernan Otero" wrote:
Do this
#fstat | grep internet | grep 127
and see what it show you....
You can see wath binary is bind to this port, and view wich user is
running it too
Then is recomended do
#fstat | grep internet
And take a look for all Listen and Established communications
Netstat may be a compromised file...
yes, and fstat may have been replaced just as well, so it wouldn't really
make sense to trust one binary more than the other, would it? and even with
binaries taken from a read-only medium, you are not guaranteed to get
accurate information from the kernel...
but besides that, did you notice that the OP already included the requested
piece of information in his mail? acquired from lsof and not from fstat
apparently, but it clearly indicates that it's the httpd process that owns
the socket on 127/tcp, which is listed as locus-con in /etc/services.
to return to the OP's question (if there ever was one?), just a guess:
someone could have uploaded and run a PHP script that opened the listening
port, possibly providing some kind of shell-functionality. I don't know PHP
well enough when it comes to things like dropping priviledges, but it seems
to me that running apache as root is always a bad idea...
regards,
David
--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- Re: [CERT] Re: Compromised FBSD/Apache, (continued)
|
Intro
