ping22: can not kill this process

Hi

      Recently one of my web server was invaded by something called ping22. it obviously exploited some perl cgi or php holes on this apache2 server. But I do not how it is get exploited.

(1) tried to kill -9 it, it is respawn again automatically.

# ps -ef | grep ping22

www-data 16848     1 14 14:01 ?        00:06:07 ping22
root     18881 30331  0 14:43 pts/0    00:00:00 grep ping22

how can I kill it?

(2)

And from /proc/16848, the cmdline shows ping22. and lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl

tried to find / -name "*ping22*", can not find the file. How is ping22 get started?

(3) the kern.log showed, this ping22 seems has something to do irc.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Dec 30 14:55:50 kernel: audit(1199044550.571:589724): avc: denied { name_connect } for pid=16848 comm="perl" dest=6667 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket

Any one has a idea of this ping22?

thanks .

Mike

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org