Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Compromised FBSD/Apache
From: "Benjamin Krueger" <benjamin () seattlefenix net>
Date: Mon, 18 Nov 2002 05:27:20 -0800
----- Original Message -----
From: "Greg S. Wirth" <greg () beldamar com>
To: <incidents () securityfocus com>
Sent: Saturday, November 16, 2002 9:11 AM
Subject: Compromised FBSD/Apache



Hello...
November 14, 2002 I noticed a service running on port 127/tcp.
The box runs only Apache, no SSL.
Only open ports before this were 21/22/80
PHP was installed 5 days prior to this.
PHP runs in safemode.
I run netstat -an every morning, which is how I found the issue.
There were no log entries that showed anything out of the ordinary.
Users have access to FTP only.
Connections to port 127 are being blocked by the firewall.
If anyone would like more information, feel free to contact me.
Enjoy the day.


What process is listening on the port?

sockstat | grep ':127'

Find out what the process is, who owns it, when it was started, when it was
put there, and what its purpose is.


Greg S. Wirth
Anchorage, Alaska
http://rapidfx.org



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]