|
Security Incidents
mailing list archives
Re: [CERT] Re: Compromised FBSD/Apache
From: ePAc <epac () korigan net>
Date: Mon, 25 Nov 2002 10:11:22 -0800 (PST)
lsof would be able to show you the neccessary output.
It will give you files that are open, their "State" and what the process
name is, as well as their PID (and you can figure out the path with
something like "ps auxwww | grep $PID"
Here is a sample output of lsof (edited for content):
--
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhcpcd 49 root cwd DIR 3,2 4096 2 /
dhcpcd 49 root rtd DIR 3,2 4096 2 /
dhcpcd 49 root txt REG 3,2 32480 1669996 /sbin/dhcpcd
dhcpcd 49 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so
dhcpcd 49 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so
dhcpcd 49 root 0u CHR 1,3 360205 /dev/null
dhcpcd 49 root 1u CHR 1,3 360205 /dev/null
dhcpcd 49 root 2u CHR 1,3 360205 /dev/null
dhcpcd 49 root 3u sock 0,0 40 can't identify protocol
dhcpcd 49 root 4u IPv4 41 UDP *:bootpc
dhcpcd 49 root 5u unix 0xcf0d4a90 1685 socket
sshd 70 root cwd DIR 3,2 4096 2 /
sshd 70 root rtd DIR 3,2 4096 2 /
sshd 70 root txt REG 3,2 290208 2226684 /usr/sbin/sshd
sshd 70 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so
sshd 70 root mem REG 3,2 43172 33078 /lib/libutil-2.2.5.so
sshd 70 root mem REG 3,2 55668 589606 /usr/lib/libz.so.1.1.4
sshd 70 root mem REG 3,2 353351 33065 /lib/libnsl-2.2.5.so
sshd 70 root mem REG 3,2 757368 589303 /usr/lib/libcrypto.so.0.9.6
sshd 70 root mem REG 3,2 70355 33058 /lib/libcrypt-2.2.5.so
sshd 70 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so
sshd 70 root mem REG 3,2 61247 33062 /lib/libdl-2.2.5.so
sshd 70 root 0u CHR 1,3 360205 /dev/null
sshd 70 root 1u CHR 1,3 360205 /dev/null
sshd 70 root 2u CHR 1,3 360205 /dev/null
sshd 70 root 3u IPv4 76 TCP *:ssh (LISTEN)
<... SNIP ...>
dhcpd 178 root cwd DIR 3,2 4096 1735010 /root
dhcpd 178 root rtd DIR 3,2 4096 2 /
dhcpd 178 root txt REG 3,2 464340 2226663 /usr/sbin/dhcpd
dhcpd 178 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so
dhcpd 178 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so
dhcpd 178 root mem REG 3,2 18756 33067 /lib/libnss_db-2.2.so
dhcpd 178 root mem REG 3,2 233089 33069 /lib/libnss_files-2.2.5.so
dhcpd 178 root mem REG 3,2 494600 33059 /lib/libdb-3.1.so
dhcpd 178 root 0w REG 3,2 1510 1212044 /var/state/dhcp/dhcpd.leases
dhcpd 178 root 3u unix 0xcedba0a0 197 socket
dhcpd 178 root 4u raw 198 00000000:0001->00000000:0000 st=07
dhcpd 178 root 7u IPv4 201 UDP *:bootps
<... SNIP ...>
lsof 2369 root cwd DIR 3,2 4096 1735010 /root
lsof 2369 root rtd DIR 3,2 4096 2 /
lsof 2369 root txt REG 3,2 89712 556931 /usr/bin/lsof
lsof 2369 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so
lsof 2369 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so
lsof 2369 root 0u CHR 4,2 360329 /dev/tty2
lsof 2369 root 1w REG 3,2 0 1735946 /root/lsof.output
lsof 2369 root 2u CHR 4,2 360329 /dev/tty2
lsof 2369 root 3r DIR 0,3 0 1 /proc
lsof 2369 root 4r DIR 0,3 0 155254792 /proc/2369/fd
lsof 2369 root 5w FIFO 0,6 12122 pipe
lsof 2369 root 6r FIFO 0,6 12123 pipe
lsof 2370 root cwd DIR 3,2 4096 1735010 /root
lsof 2370 root rtd DIR 3,2 4096 2 /
lsof 2370 root txt REG 3,2 89712 556931 /usr/bin/lsof
lsof 2370 root mem REG 3,2 435016 33054 /lib/ld-2.2.5.so
lsof 2370 root mem REG 3,2 5029105 33057 /lib/libc-2.2.5.so
lsof 2370 root 4r FIFO 0,6 12122 pipe
lsof 2370 root 7w FIFO 0,6 12123 pipe
I hope this helps...
Jok
On Fri, 22 Nov 2002, Thomas C. Meggs wrote:
Date: Fri, 22 Nov 2002 11:28:21 -0500
From: Thomas C. Meggs <tom () plik net>
To: Micheal Patterson <micheal () cancercare net>
Cc: incidents () securityfocus com
Subject: [CERT] Re: Compromised FBSD/Apache
Hi,
Out of curiosity what is the Linux and Solaris equivalents for doing
this? I did a quick check under Linux and didn't see any similarly named
programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!
Regards,
Tom
Micheal Patterson wrote:
----- Original Message -----
From: "Greg A. Woods"
To: "Greg S. Wirth"
Cc:
Sent: Monday, November 18, 2002 11:49 AM
Subject: Re: Compromised FBSD/Apache
[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth
wrote: ]
Subject: Compromised FBSD/Apache
Hello...
November 14, 2002 I noticed a service running on port 127/tcp.
The box runs only Apache, no SSL.
Only open ports before this were 21/22/80
PHP was installed 5 days prior to this.
PHP runs in safemode.
I run netstat -an every morning, which is how I found the issue.
"fstat" is your friend -- it can tell you which process holds the
listening socket descriptor. On FreeBSD you have to use 'netstat -aAn'
first to find the address of the protocol control block (PCB), and then
grep for that in the output of 'fstat'. For example:
12:44 [6] $ netstat -aAn | fgrep '*.80'
c49e0a40 tcp4 0 0 *.80 *.*
LISTEN
12:44 [7] $ fstat | fgrep c49e0a40
wwwsrvr thttpd 137 5* internet stream tcp c49e0a40
--
Greg A. Woods
+1 416 218-0098; ;
Planix, Inc. ; VE3TCP; Secrets of the Weird
--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
"sockstat" on later versions of FreeBSD will also show you the daemon
running on the port.
micheal@/>sockstat |more
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 62252 5 tcp4 192.168.1.1:22 192.168.1.2:3777
root sshd 207 4 tcp4 *:22 *:*
--
Micheal Patterson
Network Administration
Cancer Care Network
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
---
Nothing is foolproof to a sufficiently talented fool...
oo
,(..)\
~~
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
