[lug] ARRG! Change One Little Thing And... HACKED?

Hugh Brown hugh at math.byu.edu
Tue Aug 16 10:44:26 MDT 2005 

That looks like process 537 (sendmail) is listening on 443.  Very odd.
The fact that you are running on RH9 suggests that you might be a bit out
of date on your patching.  There was a patch released recently for
mod_ssl.

I'd take the machine offline and starting looking around for signs of
hacking.

Hugh

On Tue, 16 Aug 2005, Bill Thoen wrote:

> When I first tried netstat -vantp|grep 443 (per somene's suggestion) it
> cane back with some sort of samba -d process (I'm not running samba as far
> as I know), so I killed that process. It died but a new one appeared with
> a more disturbing hint. And I can't kill this one, either. What should
> apache have to do with sendmail? Is this evidence of a hack? I now get
> this:
>
> [root]# netstat -vantp|grep 443
> tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
> 537/sendmail: accep
> tcp      317      0 206.168.217.249:80      192.200.5.40:44378
> CLOSE_WAIT  -
>
>
> - Bill Thoen
>
>
> On Tue, 16 Aug 2005, Michael Belanger wrote:
>
> > It may not have shutdown completely/gracefully.  Check for running httpd
> > processes and also httpd.pid or equiv in /var/run or where configured.
> >
> >
> > Bill Thoen wrote:
> > > My web server (apache on RH 9) has been ticking along perfectly for months
> > > with no restarts, but then someone told me one of my web pages wasn't
> > > producing the right mime type for an SVG file. So I added
> > >
> > > AddType image/svg+xml .svg
> > >
> > > to /etc/httpd/conf/httpd.conf, and tried to resart the httpd service.
> > > Well, it stopped allright, but it won't start now, and I get this message:
> > >
> > > Starting httpd: (98)Address already in use: make_sock: could not bind to
> > > address 0.0.0.0:443 no listening sockets available, shutting down
> > >
> > > Does anyone know what this means (besides the fact that my web site is now
> > > flatlined?)
> > >
> > > TIA,
> > >
> > > - Bill Thoen
> > >
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
> >
> >
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>

More information about the LUG mailing list