http bind problem ( unknown process )
This is a discussion on http bind problem ( unknown process ) within the Linux Security forums, part of the System Security and Security Related category; Hi, I had a problem with starting up httpd. It failed because the BindAdress 0.0.0.0:443 was ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-07-2004
|
|||
|
|||
http bind problem ( unknown process )
Hi,
I had a problem with starting up httpd. It failed because the BindAdress 0.0.0.0:443 was already in use. A netstat -pam | grep 443 showed that a process R0nin was keeping this port occupied. After i killed this process http started up again. People suggested that my fedora box was hacked. I did some checking today and tried to find some evidence for the hacking. I have tried the following: 1. netstat -pan | grep 443 --> returned http 2. netstat -pan | grep 5002 ( default port rootkit) --> returend nothing 3. netstat -pan | grep 31337 ( root shell port) --> returend nothing 4. ifconfig check for PROMISC flag --> returend oke 5. checked deamons telnet( not running) and sshd ( running only for allowed ip's) 6. portscan from 2 different servers and both returend only port 80, 8080 and ssh. 7. file check on /dev and searched for file beginning with ptys*. On three different servers they where both the same. I suppose the are within Fedora core. 8. echo * and compare the output with ls. Both the same so ls does not seem to be infected by the trojan. 9. run the program chrootkit and the only strange thing was : Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.1/i386-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Magick/.packlist /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/Gaim/.packlist Everything else was " not infected" 10. no acces attempts in my secure and messages logs 11. Only wtmp looks strange. Can I now be shure that there is nothing wrong with my box? 
|
|
12-08-2004
|
|||
|
|||
|
Re: http bind problem ( unknown process )
arvid wrote:
> Hi, > > I had a problem with starting up httpd. It failed because the > BindAdress 0.0.0.0:443 was already in use. > A netstat -pam | grep 443 showed that a process R0nin was keeping this > port occupied. After i killed this process http started up again. > > People suggested that my fedora box was hacked. > > I did some checking today and tried to find some evidence for the > hacking. I have tried the following: > > 1. netstat -pan | grep 443 --> returned http 2. netstat -pan | grep > 5002 ( default port rootkit) --> returend nothing 3. netstat -pan | > grep 31337 ( root shell port) --> returend nothing 4. ifconfig check > for PROMISC flag --> returend oke 5. checked deamons telnet( not > running) and sshd ( running only for allowed ip's) 6. portscan from 2 > different servers and both returend only port 80, 8080 and ssh. > 7. file check on /dev and searched for file beginning with ptys*. On > three different servers they where both the same. I suppose the are > within Fedora core. > 8. echo * and compare the output with ls. Both the same so ls does not > seem to be infected by the trojan. > 9. run the program chrootkit and the only strange thing was : > Searching for suspicious files and dirs, it may take a while... > /usr/lib/perl5/5.8.1/i386-linux-thread-multi/.packlist > /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Magick/.packlist > /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/mod_perl/.packlist > /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/Gaim/.packlist > > Everything else was " not infected" > > 10. no acces attempts in my secure and messages logs > 11. Only wtmp looks strange. > > > Can I now be shure that there is nothing wrong with my box? I think I had the same problem. Are you trying to run two apache servers? On on 80 and the other on 443? -- Michael
|
Linear Mode
