Re: ping22: can not kill this process
On Sun, Dec 30, 2007 at 02:59:33PM -0500, Mike Wang wrote:
> Hi
> Recently one of my web server was invaded by something called ping22.
> it obviously exploited some perl cgi or php holes on this apache2 server.
> But I do not how it is get exploited.
>
> (1) tried to kill -9 it, it is respawn again automatically.
>
> # ps -ef | grep ping22
> www-data 16848 1 14 14:01 ? 00:06:07 ping22
> root 18881 30331 0 14:43 pts/0 00:00:00 grep ping22
>
> how can I kill it?
>
> (2)
> And from /proc/16848, the cmdline shows ping22. and
> lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl
>
> tried to find / -name "*ping22*", can not find the file. How is ping22 get
> started?
>
Either it is a perl script, or /usr/bin/perl has been corrupted.
Reply to: