Re: Compromised FBSD/Apache

"Hernan Otero" wrote:
>
> Do this
>
> #fstat | grep internet | grep 127
running it too
>
> Then is recomended do

yes, and fstat may have been replaced just as well, so it wouldn't really make sense to trust one binary more than the other, would it? and even with binaries taken from a read-only medium, you are not guaranteed to get accurate information from the kernel...

but besides that, did you notice that the OP already included the requested piece of information in his mail? acquired from lsof and not from fstat apparently, but it clearly indicates that it's the httpd process that owns the socket on 127/tcp, which is listed as locus-con in /etc/services.

to return to the OP's question (if there ever was one?), just a guess: someone could have uploaded and run a PHP script that opened the listening port, possibly providing some kind of shell-functionality. I don't know PHP well enough when it comes to things like dropping priviledges, but it seems to me that running apache as root is always a bad idea...

regards,

David

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com