Hosting Provided By

Re: ping22: can not kill this process

From: Mike Wang <comritesecurity(at)gmail.com>
Date: Sun Dec 30 2007 - 21:28:58 EST

Now this ping2 comes back, this time as ping222x. Yah it must come in by exploiting perl or php cgi. the running user is www-data.

shopping:~# ps -ef | grep ping

www-data   766     1 31 19:35 ?        00:24:46 ping222x
root      6419 31632  0 20:53 pts/1    00:00:00 grep ping

shopping:~# kill -9 766

shopping:~# ps -ef | grep ping

www-data  6455     1 32 20:53 ?        00:00:11 ping222x
root      6479 30331  0 20:54 pts/0    00:00:00 grep ping

after kill -9 it, in a few seconds, it is back.

I went to: /proc/6455:

shopping:/proc/6455# ls -l
total 0

dr-xr-xr-x 2 www-data www-data 0 2007-12-30 20:57 attr

-r-------- 1 www-data www-data 0 2007-12-30 20:57 auxv
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 cmdline

lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 cwd -> /

-r-------- 1 www-data www-data 0 2007-12-30 20:57 environ

lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 exe -> /usr/bin/perl
dr-x------ 2 www-data www-data 0 2007-12-30 20:57 fd

-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 maps
-rw------- 1 www-data www-data 0 2007-12-30 20:57 mem
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 mounts
-rw-r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_adj
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_score

lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 root -> /

-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 smaps
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 stat
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 statm
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 status

dr-xr-xr-x 3 www-data www-data 0 2007-12-30 20:57 task
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 wchan

shopping:/proc/6455# lsof -p 6455

COMMAND  PID     USER   FD   TYPE DEVICE    SIZE    NODE NAME
perl    6455 www-data  cwd    DIR    3,1    4096       2 /
perl    6455 www-data  rtd    DIR    3,1    4096       2 /

perl 6455 www-data txt REG 3,1 1061700 458854 /usr/bin/perl perl 6455 www-data mem REG 3,1 679624 540729 /usr/lib/libdb3.so.3.0.2
perl 6455 www-data mem REG 3,1 42472 475365 /lib/tls/libnss_files-2.3.6.so
perl 6455 www-data mem REG 3,1 15316 688142 /lib/libnss_db- 2.2.so
perl 6455 www-data mem REG 3,1 19764 2298586 /usr/lib/perl/5.8.8/auto/Socket/Socket.so perl 6455 www-data mem REG 3,1 21872 475358 /lib/tls/libcrypt- 2.3.6.so
perl 6455 www-data mem REG 3,1 1270928 475356 /lib/tls/libc- 2.3.6.so
perl 6455 www-data mem REG 3,1 85770 475370 /lib/tls/libpthread-2.3.6.so
perl 6455 www-data mem REG 3,1 149264 475360 /lib/tls/libm- 2.3.6.so
perl 6455 www-data mem REG 3,1 9592 475359 /lib/tls/libdl- 2.3.6.so
perl 6455 www-data mem REG 3,1 15640 2298574 /usr/lib/perl/5.8.8/auto/IO/IO.so

perl    6455 www-data  mem    REG    3,1   92260  690921 /lib/ld-2.3.6.so
perl    6455 www-data    0r   CHR    1,3            1197 /dev/null
perl    6455 www-data    1w  FIFO    0,5         2746544 pipe
perl    6455 www-data    2w   REG   3,67 3309106 2469237
/var/log/apache2/error.log
perl    6455 www-data    3r   CHR    1,9            2138 /dev/urandom
perl    6455 www-data    4u  IPv4  11236             TCP *:9090 (LISTEN)
perl    6455 www-data    5u  IPv4  11238             TCP *:9898 (LISTEN)
perl    6455 www-data    6u  IPv4  11240             TCP *:www (LISTEN)
perl    6455 www-data    7r  FIFO    0,5          184347 pipe
perl    6455 www-data    8w  FIFO    0,5          184347 pipe

perl 6455 www-data 9w REG 3,67 3309106 2469237 /var/log/apache2/error.log
perl 6455 www-data 10w REG 3,67 3647817 2469238 /var/log/apache2/access.log
perl 6455 www-data 11w REG 3,67 3647817 2469238 /var/log/apache2/access.log

perl    6455 www-data   12r  FIFO    0,5          184493 pipe
perl    6455 www-data   13w  FIFO    0,5          184493 pipe
perl    6455 www-data   14r  FIFO    0,5          184494 pipe
perl    6455 www-data   15w  FIFO    0,5          184494 pipe
perl    6455 www-data   16u  sock    0,4         2238051 can't identify

protocol

Do you need help?

shopping:/proc/6455# more maps

08048000-08148000 r-xp 00000000 03:01 458854     /usr/bin/perl
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek
08148000-0814c000 rw-p 000ff000 03:01 458854     /usr/bin/perl
0814c000-0855b000 rw-p 0814c000 00:00 0          [heap]
a7d17000-a7dbd000 r-xp 00000000 03:01 540729     /usr/lib/libdb3.so.3.0.2
a7dbd000-a7dbe000 rw-p 000a5000 03:01 540729     /usr/lib/libdb3.so.3.0.2
a7dbe000-a7dc8000 r-xp 00000000 03:01 475365     /lib/tls/libnss_files-
2.3.6.so
a7dc8000-a7dca000 rw-p 00009000 03:01 475365     /lib/tls/libnss_files-
2.3.6.so
a7dca000-a7dce000 r-xp 00000000 03:01 688142     /lib/libnss_db-2.2.so
a7dce000-a7dcf000 rw-p 00003000 03:01 688142     /lib/libnss_db-2.2.so

a7dd8000-a7ddd000 r-xp 00000000 03:01 2298586 /usr/lib/perl/5.8.8/auto/Socket/Socket.so a7ddd000-a7dde000 rw-p 00004000 03:01 2298586 /usr/lib/perl/5.8.8/auto/Socket/Socket.so

a7dde000-a7e01000 rw-p a7dde000 00:00 0
a7e01000-a7e06000 r-xp 00000000 03:01 475358     /lib/tls/libcrypt-2.3.6.so
a7e06000-a7e08000 rw-p 00004000 03:01 475358     /lib/tls/libcrypt-2.3.6.so
a7e08000-a7e2f000 rw-p a7e08000 00:00 0
a7e2f000-a7f5d000 r-xp 00000000 03:01 475356     /lib/tls/libc-2.3.6.so
a7f5d000-a7f62000 r--p 0012e000 03:01 475356     /lib/tls/libc-2.3.6.so
a7f62000-a7f65000 rw-p 00133000 03:01 475356     /lib/tls/libc-2.3.6.so
a7f65000-a7f67000 rw-p a7f65000 00:00 0
a7f67000-a7f75000 r-xp 00000000 03:01 475370     /lib/tls/libpthread-
2.3.6.so
a7f75000-a7f77000 rw-p 0000d000 03:01 475370     /lib/tls/libpthread-

2.3.6.so

a7f77000-a7f79000 rw-p a7f77000 00:00 0
a7f79000-a7f9d000 r-xp 00000000 03:01 475360     /lib/tls/libm-2.3.6.so
a7f9d000-a7f9f000 rw-p 00023000 03:01 475360     /lib/tls/libm-2.3.6.so
a7f9f000-a7fa1000 r-xp 00000000 03:01 475359     /lib/tls/libdl-2.3.6.so
a7fa1000-a7fa3000 rw-p 00001000 03:01 475359     /lib/tls/libdl-2.3.6.so
a7fa6000-a7fa7000 rw-p a7fa6000 00:00 0
a7fa7000-a7fab000 r-xp 00000000 03:01 2298574

/usr/lib/perl/5.8.8/auto/IO/IO.so
a7fab000-a7fac000 rw-p 00003000 03:01 2298574 /usr/lib/perl/5.8.8/auto/IO/IO.so

a7fac000-a7fae000 rw-p a7fac000 00:00 0
a7fae000-a7fc3000 r-xp 00000000 03:01 690921     /lib/ld-2.3.6.so
a7fc3000-a7fc5000 rw-p 00015000 03:01 690921     /lib/ld-2.3.6.so
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek
afead000-afec0000 rwxp afead000 00:00 0          [stack]
afec0000-afec3000 rw-p afec0000 00:00 0
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]

shopping:/proc/6455# more status
Name: perl
State: R (running)
SleepAVG: 35%
Tgid: 6455
Pid: 6455
PPid: 1

TracerPid:      0
Uid:    33      33      33      33
Gid:    33      33      33      33
FDSize: 32
Groups: 33
VmPeak:     9772 kB
VmSize:     9768 kB
VmLck:         0 kB
VmHWM:      7292 kB
VmRSS:      7288 kB
VmData:     6268 kB
VmStk:        88 kB
VmExe:      1024 kB
VmLib:      2276 kB
VmPTE:        16 kB
Threads:        1

SigQ: 0/2552

SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000015083
SigCgt: 0000000180000000
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000

shopping:/proc/6455# ls /
bin     dev     initrd.img        Mandarin.fre.pag  root           srv
usr
boot    etc     initrd.img.old    media             sbin           sys
var
cdrom   floppy  lib               mnt               selinux        tmp
vmlinuz
cdrom0  home    lost+found        opt               software       tmp-old
vmlinuz.old
data    initrd  Mandarin.fre.dir  proc              software-back  tmpvar

shopping:/proc/6455# more cmdline
ping222x

shopping:/proc/6455# find / -name "*ping222x*"

find: /proc/13005/task: No such file or directory
find: /proc/13005/fd: No such file or directory
find: /proc/6443/task: No such file or directory
find: /proc/6443/fd: No such file or directory


shopping:/var/log/apache2# grep "*ping222x" access.log

shopping:/var/log/apache2# grep "*ping222x*" access.log shopping:/var/log/apache2# grep "*ping2*" access.log

# ls -l /usr/bin/perl
-rwxr-xr-x 2 root root 1061700 2006-12-06 18:30 /usr/bin/perl

shopping:/# apt-cache policy perl
perl:
  Installed: 5.8.8-7
  Candidate: 5.8.8-7etch1
  Version table:

     5.8.8-7etch1 0
        999 
http://mirrors.kernel.org stable/main Packages
        999 
http://security.debian.org stable/updates/main Packages
 *** 5.8.8-7 0
        100 /var/lib/dpkg/status

the /usr/bin/perl is not the latest stable one. but it seems not corrupt, since I can run perl -v etc and other perl scripts. and can not find these ping222x file. anyway I will update it to see what will happen.

     I got the core dump file of ping222x ( with pid 766).
     bvi core.766, search around , could not find the path, only something

like:

0010F518 0B 00 00 00 00 01 30 00 9C 00 00 00 08 21 03 00 70 69 6E 67 ......0......!..ping
0010F52C 32 32 32 78 DE 00 00 00 29 00 00 00 E8 A0 17 08 00 00 00 00 222x....)...........

Can't find what you're looking for?

it seems the ping222x exploit something, and load script from memory?? not from file? or it delete file after loading??

the ping222x can be killed only after serveral attempts of kill -9. see below.

shopping:~# ps -ef | grep ping

www-data  6455     1 29 20:53 ?        00:07:53 ping222x
root      8882 31632  0 21:20 pts/1    00:00:00 grep ping
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek

shopping:~# kill -9 6455
shopping:~# ps -ef | grep ping
root 8890 31632 0 21:20 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping

www-data  8891  8887 28 21:20 ?        00:00:00 ping222x
www-data  8893  8891  0 21:20 ?        00:00:00 ping222x
root      8898 31632  0 21:20 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
www-data  8893     1 27 21:20 ?        00:00:03 ping222x
root      8915 31632  0 21:20 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep 8887
www-data  8887   709  0 21:20 ?        00:00:00 [sh] 
root      8937 31632  0 21:20 pts/1    00:00:00 grep 8887
shopping:~# ps -ef | grep 709
www-data   709  4059  0 19:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  8887   709  0 21:20 ?        00:00:00 [sh] 
root      8948 31632  0 21:21 pts/1    00:00:00 grep 709
shopping:~# ps -ef | grep ping
www-data  8893     1 35 21:20 ?        00:00:24 ping222x
root      8959 31632  0 21:21 pts/1    00:00:00 grep ping

shopping:~# kill -9 8893
shopping:~# ps -ef | grep ping
root 8971 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 8979 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 8990 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 8992 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 8994 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 9002 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 9005 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 9009 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 9011 31632 0 21:21 pts/1 00:00:00 grep ping shopping:~# ps -ef | grep ping
root 9013 31632 0 21:21 pts/1 00:00:00 grep ping

Also I put strace here again ( I did not put the reply-all in the second e-mail, so the part was missing in the mailing list.).

shopping:~# strace -p 6455
Process 6455 attached - interrupt to quit open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0

fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478

close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0

socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17 ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR) = -1 ESPIPE (Illegal seek) ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid argument)

_llseek(17, 0, 0xafebfca0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
connect(17, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr("
216.31.27.42")}, 16) = -1 EACCES (Permission denied)
close(17)                               = 0

open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0

close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0

open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0

close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek

_llseek(17, 0, 0xafebfca0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
connect(17, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr("
216.31.27.42")}, 16) = -1 EACCES (Permission denied)
close(17)                               = 0

open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0

close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0

open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/protocols", O_RDONLY) = 17

On Dec 30, 2007 8:25 PM, Bernd Eckenfels <ecki@lina.inka.de> wrote:

> In article <91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com>
> you wrote:
> > www-data 16848     1 14 14:01 ?        00:06:07 ping22
>
> Looks like it is started from Apache, most likely a CGI. Have a look at
> CWD
> of that process or look into the access log.
>
> Gruss
> Bernd
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>

--

Best Regards

Mike

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

--

To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Received on Sun Dec 30 21:29:39 2007

This message: [ Message body ]
Next message: Pls check this new site: "www.lipoaspirasion.com.ar"
Previous message: Bernd Eckenfels: "Re: ping22: can not kill this process"
In reply to: Bernd Eckenfels: "Re: ping22: can not kill this process"
Next in thread: Jan Luehr: "Re: ping22: can not kill this process"
Reply: Jan Luehr: "Re: ping22: can not kill this process"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:48 EDT