Hosting Provided By

Re: [CERT] Re: Compromised FBSD/Apache

From: ePAc <epac(at)korigan.net>
Date: Mon Nov 25 2002 - 13:11:22 EST

lsof would be able to show you the neccessary output. It will give you files that are open, their "State" and what the process name is, as well as their PID (and you can figure out the path with something like "ps auxwww | grep $PID"

Here is a sample output of lsof (edited for content):

--
COMMAND    PID   USER   FD   TYPE     DEVICE    SIZE      NODE NAME
dhcpcd      49   root  cwd    DIR        3,2    4096         2 /
dhcpcd      49   root  rtd    DIR        3,2    4096         2 /
dhcpcd      49   root  txt    REG        3,2   32480   1669996 /sbin/dhcpcd
dhcpcd      49   root  mem    REG        3,2  435016     33054 /lib/ld-2.2.5.so
dhcpcd      49   root  mem    REG        3,2 5029105     33057 /lib/libc-2.2.5.so
dhcpcd      49   root    0u   CHR        1,3            360205 /dev/null
dhcpcd      49   root    1u   CHR        1,3            360205 /dev/null
dhcpcd      49   root    2u   CHR        1,3            360205 /dev/null
dhcpcd      49   root    3u  sock        0,0                40 can't identify protocol
dhcpcd      49   root    4u  IPv4         41               UDP *:bootpc
dhcpcd      49   root    5u  unix 0xcf0d4a90              1685 socket
sshd        70   root  cwd    DIR        3,2    4096         2 /
sshd        70   root  rtd    DIR        3,2    4096         2 /
sshd        70   root  txt    REG        3,2  290208   2226684 /usr/sbin/sshd
sshd        70   root  mem    REG        3,2  435016     33054 /lib/ld-2.2.5.so
sshd        70   root  mem    REG        3,2   43172     33078 /lib/libutil-2.2.5.so
sshd        70   root  mem    REG        3,2   55668    589606 /usr/lib/libz.so.1.1.4
sshd        70   root  mem    REG        3,2  353351     33065 /lib/libnsl-2.2.5.so
sshd        70   root  mem    REG        3,2  757368    589303 /usr/lib/libcrypto.so.0.9.6
sshd        70   root  mem    REG        3,2   70355     33058 /lib/libcrypt-2.2.5.so
sshd        70   root  mem    REG        3,2 5029105     33057 /lib/libc-2.2.5.so
sshd        70   root  mem    REG        3,2   61247     33062 /lib/libdl-2.2.5.so
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
sshd        70   root    0u   CHR        1,3            360205 /dev/null
sshd        70   root    1u   CHR        1,3            360205 /dev/null
sshd        70   root    2u   CHR        1,3            360205 /dev/null
sshd        70   root    3u  IPv4         76               TCP *:ssh (LISTEN)
<... SNIP ...>
dhcpd      178   root  cwd    DIR        3,2    4096   1735010 /root
dhcpd      178   root  rtd    DIR        3,2    4096         2 /
dhcpd      178   root  txt    REG        3,2  464340   2226663 /usr/sbin/dhcpd
dhcpd      178   root  mem    REG        3,2  435016     33054 /lib/ld-2.2.5.so
dhcpd      178   root  mem    REG        3,2 5029105     33057 /lib/libc-2.2.5.so
dhcpd      178   root  mem    REG        3,2   18756     33067 /lib/libnss_db-2.2.so
dhcpd      178   root  mem    REG        3,2  233089     33069 /lib/libnss_files-2.2.5.so
dhcpd      178   root  mem    REG        3,2  494600     33059 /lib/libdb-3.1.so
dhcpd      178   root    0w   REG        3,2    1510   1212044 /var/state/dhcp/dhcpd.leases
dhcpd      178   root    3u  unix 0xcedba0a0               197 socket
dhcpd      178   root    4u   raw                          198 00000000:0001->00000000:0000 st=07
dhcpd      178   root    7u  IPv4        201               UDP *:bootps
<... SNIP ...>
lsof      2369   root  cwd    DIR        3,2    4096   1735010 /root
lsof      2369   root  rtd    DIR        3,2    4096         2 /
lsof      2369   root  txt    REG        3,2   89712    556931 /usr/bin/lsof
lsof      2369   root  mem    REG        3,2  435016     33054 /lib/ld-2.2.5.so
lsof      2369   root  mem    REG        3,2 5029105     33057 /lib/libc-2.2.5.so
lsof      2369   root    0u   CHR        4,2            360329 /dev/tty2
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
lsof      2369   root    1w   REG        3,2       0   1735946 /root/lsof.output
lsof      2369   root    2u   CHR        4,2            360329 /dev/tty2
lsof      2369   root    3r   DIR        0,3       0         1 /proc
lsof      2369   root    4r   DIR        0,3       0 155254792 /proc/2369/fd
lsof      2369   root    5w  FIFO        0,6             12122 pipe
lsof      2369   root    6r  FIFO        0,6             12123 pipe
lsof      2370   root  cwd    DIR        3,2    4096   1735010 /root
lsof      2370   root  rtd    DIR        3,2    4096         2 /
lsof      2370   root  txt    REG        3,2   89712    556931 /usr/bin/lsof
lsof      2370   root  mem    REG        3,2  435016     33054 /lib/ld-2.2.5.so
lsof      2370   root  mem    REG        3,2 5029105     33057 /lib/libc-2.2.5.so
lsof      2370   root    4r  FIFO        0,6             12122 pipe
lsof      2370   root    7w  FIFO        0,6             12123 pipe



I hope this helps...

Jok

On Fri, 22 Nov 2002, Thomas C. Meggs wrote:

> Date: Fri, 22 Nov 2002 11:28:21 -0500



---
Nothing is foolproof to a sufficiently talented fool...
  oo
,(..)\
  ~~


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Mon Nov 25 21:40:58 2002

This message: [ Message body ]
Next message: gminick: "Re: increased attacks on port 2599"
Previous message: Jose Nazario: "Re: Compromised FBSD/Apache"
In reply to Thomas C. Meggs: "Re: Compromised FBSD/Apache"
Next in thread: Adam Sampson: "Re: Compromised FBSD/Apache"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT