Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: Compromised FBSD/Apache
From: "Boyan Krosnov" <bkrosnov () lirex bg>
Date: Mon, 25 Nov 2002 20:10:16 +0200
fuser -v 80/tcp
lsof -i tcp:80
netstat -apn | egrep '^tcp.+:80'

All these work on a pure debian gnu/linux stable here, and give you at
least the pid of the process. fuser is my favorite.

BR,
Boyan Krosnov, CCIE#8701
http://boyan.ludost.net/
Just another techie speaking for himself


-----Original Message-----
From: Thomas C. Meggs [mailto:tom () plik net] 
Sent: Friday, November 22, 2002 6:28 PM
To: Micheal Patterson
Cc: incidents () securityfocus com
Subject: Re: Compromised FBSD/Apache


Hi,

Out of curiosity what is the Linux and Solaris equivalents for doing 
this? I did a quick check under Linux and didn't see any 
similarly named 
programs, and the UNIX Rosetta Stone wasn't much help either. Thanks!

Regards,
Tom

Micheal Patterson wrote:



----- Original Message -----
From: "Greg A. Woods"
To: "Greg S. Wirth"
Cc:
Sent: Monday, November 18, 2002 11:49 AM
Subject: Re: Compromised FBSD/Apache




[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth


wrote: ]


Subject: Compromised FBSD/Apache

Hello...
November 14, 2002 I noticed a service running on port 127/tcp.
The box runs only Apache, no SSL.
Only open ports before this were 21/22/80
PHP was installed 5 days prior to this.
PHP runs in safemode.
I run netstat -an every morning, which is how I found the issue.


"fstat" is your friend -- it can tell you which process holds the
listening socket descriptor.  On FreeBSD you have to use 

'netstat -aAn'

first to find the address of the protocol control block 

(PCB), and then

grep for that in the output of 'fstat'.  For example:

12:44 [6] $ netstat -aAn | fgrep '*.80'
c49e0a40 tcp4       0      0  *.80               *.* 

LISTEN

12:44 [7] $ fstat | fgrep c49e0a40
wwwsrvr  thttpd       137    5* internet stream tcp c49e0a40


--
Greg A. Woods

+1 416 218-0098;            ;





Planix, Inc. ; VE3TCP; Secrets of the Weird





-------------------------------------------------------------

-------------


--


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




"sockstat" on later versions of FreeBSD will also show you 

the daemon

running on the port.

micheal@/>sockstat |more
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         

FOREIGN ADDRESS

root     sshd     62252    5 tcp4   192.168.1.1:22        

192.168.1.2:3777

root     sshd       207    4 tcp4   *:22                  *:*


--

Micheal Patterson
Network Administration
Cancer Care Network





--------------------------------------------------------------
--------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]