Hosting Provided By

Re: Compromised FBSD/Apache

From: Greg A. Woods <woods(at)weird.com>
Date: Mon Nov 18 2002 - 12:49:09 EST

[ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth wrote: ]
> Subject: Compromised FBSD/Apache

"fstat" is your friend -- it can tell you which process holds the listening socket descriptor. On FreeBSD you have to use 'netstat -aAn' first to find the address of the protocol control block (PCB), and then grep for that in the output of 'fstat'. For example:

12:44 [6] $ netstat -aAn | fgrep '*.80'

c49e0a40 tcp4       0      0  *.80               *.*                LISTEN
12:44 [7] $ fstat | fgrep c49e0a40      
wwwsrvr  thttpd       137    5* internet stream tcp c49e0a40


-- 
								Greg A. Woods

+1 416 218-0098;            ;

Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 19 15:52:46 2002

This message: [ Message body ]
Next message: Oliver Friedrichs: "DeepSight Analyzer 4.0 Announcement"
Previous message: Mike Cain: "Proxy server hit... Any ideas?"
In reply to: Greg S. Wirth: "Compromised FBSD/Apache"
In reply to Benjamin Krueger: "Re: Compromised FBSD/Apache"
Next in thread: Jay D. Dyson: "Re: Compromised FBSD/Apache"
Reply:(deleted message) Jay D. Dyson: "Re: Compromised FBSD/Apache"
Reply: Micheal Patterson: "Re: Compromised FBSD/Apache"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT