Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-security > 08 > 010464.html (Request Expert lists.debian.org Support)

Re: ping22: can not kill this process

From: Luis Mondesi <lemsx1(at)gmail.com>
Date: Tue Jan 01 2008 - 20:21:19 EST


On Jan 1, 2008 7:10 PM, Mike Wang <comritesecurity@gmail.com> wrote:
> Hi Jan
> thanks a lot. Happy new year to all!

Happy new year to all as well!

> I checked cron/at job, nothing related to ping22.
>
> And I checked my previous kill -9 ( see the previous post), it was
> generated like the following:
>
>
> shopping:~# ps -ef | grep ping
> www-data 6455 1 29 20:53 ? 00:07:53 ping222x
> shopping:~# kill -9 6455
>
> after killing this 6455, there immediately has two ping222x,
>
> shopping:~# ps -ef | grep ping
> www-data 8891 8887 28 21:20 ? 00:00:00 ping222x
> www-data 8893 8891 0 21:20 ? 00:00:00 ping222x
>
> trace back the ppid of 8887, it is apache process 709:
> pid ppid
> >www-data 709 4059 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start
> ( may corrupted or hacked apache process or respawning helper )
> ->www-data 8887 709 0 21:20 ? 00:00:00 [sh] <defunct>
> ->www-data 8891 8887 28 21:20 ? 00:00:00 ping222x
>
> ->www-data 8893 8891 0 21:20 ? 00:00:00 ping222x
> ->www-data 8893 1 35 21:20 ? 00:00:24 ping222x
>
>
> so look like the apache2 709 is a helper. finally the ping222x
> made itself looks like respawned from 1 (init).
>
> I killed 709, since then it did not came back. keep finger
> crossed.:)

Did you check to see whether /usr/sbin/apache2 was modified? Or was it only the running process that had somehow been stack-overflow'd?

IMHO, I'd declare this box as "compromised" and redo the whole thing. Copy all data to a new box and install tripwire (or something of that sort), plus follow the Debian security manual to the last bit, before putting the box online again.

A few links: 

http://www.debian.org/doc/manuals/securing-debian-howtohttp://wiki.debian.org/SELinux/Setuphttp://wiki.debian.org/Hardening|Hardening

I know that you already had SELinux enabled (after the fact?). So, you might already have enough information to build a better box. 

-- 
----)(-----
Luis Mondesi
Maestro Debiano

----- START ENCRYPTED BLOCK (Triple-ROT13) ------
Gur Hohagh [Yvahk] qvfgevohgvba oevatf gur fcvevg bs Hohagh gb gur
fbsgjner jbeyq.
----- END ENCRYPTED BLOCK (Triple-ROT13) ------


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Received on Tue Jan 1 20:22:17 2008

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:51 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library