Hosting Provided By

Re: ping22: can not kill this process

From: Bill Marcum - New Address! <marcumbill(at)bellsouth.net>
Date: Sun Dec 30 2007 - 19:39:11 EST

On Sun, Dec 30, 2007 at 02:59:33PM -0500, Mike Wang wrote:
> Hi
> Recently one of my web server was invaded by something called ping22.
> it obviously exploited some perl cgi or php holes on this apache2 server.
> But I do not how it is get exploited.
>
> (1) tried to kill -9 it, it is respawn again automatically.
>
> # ps -ef | grep ping22
> www-data 16848 1 14 14:01 ? 00:06:07 ping22
> root 18881 30331 0 14:43 pts/0 00:00:00 grep ping22
>
> how can I kill it?
>
> (2)
> And from /proc/16848, the cmdline shows ping22. and
> lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl
>
> tried to find / -name "*ping22*", can not find the file. How is ping22 get
> started?
>

Either it is a perl script, or /usr/bin/perl has been corrupted.

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Sun Dec 30 19:44:56 2007

This message: [ Message body ]
Next message: Bernd Eckenfels: "Re: ping22: can not kill this process"
Previous message: Mike Wang: "Re: ping22: can not kill this process"
In reply to: Mike Wang: "ping22: can not kill this process"
Next in thread: Bernd Eckenfels: "Re: ping22: can not kill this process"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:47 EDT