[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ping22: can not kill this process

      Recently one of my web server was invaded by something called ping22.  it obviously  exploited some perl cgi or php holes on this apache2 server. But I do not how it is get exploited.

(1) tried to kill -9 it, it is respawn again automatically.

# ps -ef | grep ping22
www-data 16848     1 14 14:01 ?        00:06:07 ping22
root     18881 30331  0 14:43 pts/0    00:00:00 grep ping22

how can I kill it?

And  from /proc/16848, the cmdline shows ping22. and
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl

tried to find / -name "*ping22*", can not find the file. How is ping22 get started?

(3) the kern.log showed, this ping22 seems has something to do irc.

Dec 30 14:55:50  kernel: audit(1199044550.571:589724): avc:  denied  { name_connect } for  pid=16848 comm="perl" dest=6667 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket

Any one has a idea of this ping22?

thanks .


Reply to: