[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

Bill Thoen bthoen at gisnet.com
Tue Aug 16 10:59:32 MDT 2005 

I've checked the logs for Jul 30 (when the process started) but found 
nothing I can recognize. Is there a standard checklist of things to look 
for when trying to find out if this is a hack or just a broken pointer 
that could be fixed by just rebooting?

- Bill Thoen

On Tue, 16 Aug 2005, Hugh Brown wrote:

> That looks like process 537 (sendmail) is listening on 443.  Very odd.
> The fact that you are running on RH9 suggests that you might be a bit out
> of date on your patching.  There was a patch released recently for
> mod_ssl.
> 
> I'd take the machine offline and starting looking around for signs of
> hacking.
> 
> Hugh
> 
> On Tue, 16 Aug 2005, Bill Thoen wrote:
> 
> > When I first tried netstat -vantp|grep 443 (per somene's suggestion) it
> > cane back with some sort of samba -d process (I'm not running samba as far
> > as I know), so I killed that process. It died but a new one appeared with
> > a more disturbing hint. And I can't kill this one, either. What should
> > apache have to do with sendmail? Is this evidence of a hack? I now get
> > this:
> >
> > [root]# netstat -vantp|grep 443
> > tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
> > 537/sendmail: accep
> > tcp      317      0 206.168.217.249:80      192.200.5.40:44378
> > CLOSE_WAIT  -
> >
> >
> > - Bill Thoen
> >
> >
> > On Tue, 16 Aug 2005, Michael Belanger wrote:
> >
> > > It may not have shutdown completely/gracefully.  Check for running httpd
> > > processes and also httpd.pid or equiv in /var/run or where configured.
> > >
> > >
> > > Bill Thoen wrote:
> > > > My web server (apache on RH 9) has been ticking along perfectly for months
> > > > with no restarts, but then someone told me one of my web pages wasn't
> > > > producing the right mime type for an SVG file. So I added
> > > >
> > > > AddType image/svg+xml .svg
> > > >
> > > > to /etc/httpd/conf/httpd.conf, and tried to resart the httpd service.
> > > > Well, it stopped allright, but it won't start now, and I get this message:
> > > >
> > > > Starting httpd: (98)Address already in use: make_sock: could not bind to
> > > > address 0.0.0.0:443 no listening sockets available, shutting down
> > > >
> > > > Does anyone know what this means (besides the fact that my web site is now
> > > > flatlined?)
> > > >
> > > > TIA,
> > > >
> > > > - Bill Thoen
> > > >
> > > >
> > > > _______________________________________________
> > > > Web Page:  http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list