Re: ping22: can not kill this process

Hello,

Am Montag, 31. Dezember 2007 schrieb Mike Wang:
> hi
> Now this ping2 comes back, this time as ping222x. Yah it must come in
> by exploiting perl or php cgi. the running user is www-data.
>

This implies some things (likely):
1. The system (as whole), has not been comprimised. All corruption can be limited to things www-data has access to.

If so, root privilges would have been acquired and ping222x would be hidden, executed as root, etc. (There is a slight chance that the binary drops its privileges down to www-data as an act of deception, but there are better ways for deception/hiding if root-privileges are gained)

2. The respawing binary has to be kept somewhere. A few explainations are possible:
a) It is kept in ram or memory and respawns by some kind of helper applcation. If so, and above statement is true, either a runnig "spawn"-helper a process (run by www-data or some users with less priviliges www-data is allowed to su to, eg "nobody" / 65534) ought to be visible, or there are any cron-jobs, at-Commands installed by www-data.
b) It is respawned by a corrupted cgi-script there ought to be traces in some cgi-Scripts. Diff 'em to your backups.
c) "a) is true" does not imply "b is false": If a respawn-helper is used, corrupted cgis are also possible.

In order to exclude a) you can shut down your apache for a moment and look if ping22 is able to respawn.

Keep smiling
yanosz

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org