Re: Compromised FBSD/Apache

> Out of curiosity what is the Linux and Solaris equivalents for doing

> > >"fstat" is your friend -- it can tell you which process holds the
> > >listening socket descriptor. On FreeBSD you have to use 'netstat -aAn'
> > >first to find the address of the protocol control block (PCB), and then
> > >grep for that in the output of 'fstat'. For example:
> > >
> > >12:44 [6] $ netstat -aAn | fgrep '*.80'
> > >c49e0a40 tcp4 0 0 *.80 *.*
> > LISTEN

For Linux you can use 'fuser' as an equivalent:

        fuser -n tcp 80
returns a list of processes that have TCP port 80 open.

'lsof' ('list of open files') is also suitable for doing this and is available on practially
any *nix OS.

        lsof -n | grep TCP | grep http

Skip

-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip@taygeta.com
 1340 Munras Ave., Suite 314    WWW: 
http://www.taygeta.com
 Monterey, CA. 93940            












----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek