[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ping22: can not kill this process



hi
     Now this ping2 comes back, this time as ping222x. Yah it must come in by exploiting perl or php cgi. the running user is www-data.

shopping:~# ps -ef | grep ping
www-data   766     1 31 19:35 ?        00:24:46 ping222x
root      6419 31632  0 20:53 pts/1    00:00:00 grep ping
shopping:~# kill -9 766

shopping:~# ps -ef | grep ping
www-data  6455     1 32 20:53 ?        00:00:11 ping222x
root      6479 30331  0 20:54 pts/0    00:00:00 grep ping

after kill -9 it, in a few seconds, it is back.

I went to: /proc/6455:

shopping:/proc/6455# ls -l
total 0
dr-xr-xr-x 2 www-data www-data 0 2007-12-30 20:57 attr
-r-------- 1 www-data www-data 0 2007-12-30 20:57 auxv
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 cmdline
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 cwd -> /
-r-------- 1 www-data www-data 0 2007-12-30 20:57 environ
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 exe -> /usr/bin/perl
dr-x------ 2 www-data www-data 0 2007-12-30 20:57 fd
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 maps
-rw------- 1 www-data www-data 0 2007-12-30 20:57 mem
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 mounts
-rw-r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_adj
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_score
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 root -> /
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 smaps
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 stat
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 statm
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 status
dr-xr-xr-x 3 www-data www-data 0 2007-12-30 20:57 task
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 wchan

shopping:/proc/6455# lsof -p 6455
COMMAND  PID     USER   FD   TYPE DEVICE    SIZE    NODE NAME
perl    6455 www-data  cwd    DIR    3,1    4096       2 /
perl    6455 www-data  rtd    DIR    3,1    4096       2 /
perl    6455 www-data  txt    REG    3,1 1061700  458854 /usr/bin/perl
perl    6455 www-data  mem    REG    3,1  679624  540729 /usr/lib/libdb3.so.3.0.2
perl    6455 www-data  mem    REG    3,1   42472  475365 /lib/tls/libnss_files-2.3.6.so
perl    6455 www-data  mem    REG    3,1   15316  688142 /lib/libnss_db- 2.2.so
perl    6455 www-data  mem    REG    3,1   19764 2298586 /usr/lib/perl/5.8.8/auto/Socket/Socket.so
perl    6455 www-data  mem    REG    3,1   21872  475358 /lib/tls/libcrypt-2.3.6.so
perl    6455 www-data  mem    REG    3,1 1270928  475356 /lib/tls/libc-2.3.6.so
perl    6455 www-data  mem    REG    3,1   85770  475370 /lib/tls/libpthread- 2.3.6.so
perl    6455 www-data  mem    REG    3,1  149264  475360 /lib/tls/libm-2.3.6.so
perl    6455 www-data  mem    REG    3,1    9592  475359 /lib/tls/libdl- 2.3.6.so
perl    6455 www-data  mem    REG    3,1   15640 2298574 /usr/lib/perl/5.8.8/auto/IO/IO.so
perl    6455 www-data  mem    REG    3,1   92260  690921 /lib/ld-2.3.6.so
perl    6455 www-data    0r   CHR    1,3            1197 /dev/null
perl    6455 www-data    1w  FIFO    0,5         2746544 pipe
perl    6455 www-data    2w   REG   3,67 3309106 2469237 /var/log/apache2/error.log
perl    6455 www-data    3r   CHR    1,9            2138 /dev/urandom
perl    6455 www-data    4u  IPv4  11236             TCP *:9090 (LISTEN)
perl    6455 www-data    5u  IPv4  11238             TCP *:9898 (LISTEN)
perl    6455 www-data    6u  IPv4  11240             TCP *:www (LISTEN)
perl    6455 www-data    7r  FIFO    0,5          184347 pipe
perl    6455 www-data    8w  FIFO    0,5          184347 pipe
perl    6455 www-data    9w   REG   3,67 3309106 2469237 /var/log/apache2/error.log
perl    6455 www-data   10w   REG   3,67 3647817 2469238 /var/log/apache2/access.log
perl    6455 www-data   11w   REG   3,67 3647817 2469238 /var/log/apache2/access.log
perl    6455 www-data   12r  FIFO    0,5          184493 pipe
perl    6455 www-data   13w  FIFO    0,5          184493 pipe
perl    6455 www-data   14r  FIFO    0,5          184494 pipe
perl    6455 www-data   15w  FIFO    0,5          184494 pipe
perl    6455 www-data   16u  sock    0,4         2238051 can't identify protocol

shopping:/proc/6455# more maps
08048000-08148000 r-xp 00000000 03:01 458854     /usr/bin/perl
08148000-0814c000 rw-p 000ff000 03:01 458854     /usr/bin/perl
0814c000-0855b000 rw-p 0814c000 00:00 0          [heap]
a7d17000-a7dbd000 r-xp 00000000 03:01 540729     /usr/lib/libdb3.so.3.0.2
a7dbd000-a7dbe000 rw-p 000a5000 03:01 540729     /usr/lib/libdb3.so.3.0.2
a7dbe000-a7dc8000 r-xp 00000000 03:01 475365     /lib/tls/libnss_files- 2.3.6.so
a7dc8000-a7dca000 rw-p 00009000 03:01 475365     /lib/tls/libnss_files-2.3.6.so
a7dca000-a7dce000 r-xp 00000000 03:01 688142     /lib/libnss_db- 2.2.so
a7dce000-a7dcf000 rw-p 00003000 03:01 688142     /lib/libnss_db-2.2.so
a7dd8000-a7ddd000 r-xp 00000000 03:01 2298586    /usr/lib/perl/5.8.8/auto/Socket/Socket.so
a7ddd000-a7dde000 rw-p 00004000 03:01 2298586    /usr/lib/perl/5.8.8/auto/Socket/Socket.so
a7dde000-a7e01000 rw-p a7dde000 00:00 0
a7e01000-a7e06000 r-xp 00000000 03:01 475358     /lib/tls/libcrypt-2.3.6.so
a7e06000-a7e08000 rw-p 00004000 03:01 475358     /lib/tls/libcrypt- 2.3.6.so
a7e08000-a7e2f000 rw-p a7e08000 00:00 0
a7e2f000-a7f5d000 r-xp 00000000 03:01 475356     /lib/tls/libc-2.3.6.so
a7f5d000-a7f62000 r--p 0012e000 03:01 475356     /lib/tls/libc- 2.3.6.so
a7f62000-a7f65000 rw-p 00133000 03:01 475356     /lib/tls/libc-2.3.6.so
a7f65000-a7f67000 rw-p a7f65000 00:00 0
a7f67000-a7f75000 r-xp 00000000 03:01 475370     /lib/tls/libpthread- 2.3.6.so
a7f75000-a7f77000 rw-p 0000d000 03:01 475370     /lib/tls/libpthread-2.3.6.so
a7f77000-a7f79000 rw-p a7f77000 00:00 0
a7f79000-a7f9d000 r-xp 00000000 03:01 475360     /lib/tls/libm- 2.3.6.so
a7f9d000-a7f9f000 rw-p 00023000 03:01 475360     /lib/tls/libm-2.3.6.so
a7f9f000-a7fa1000 r-xp 00000000 03:01 475359     /lib/tls/libdl- 2.3.6.so
a7fa1000-a7fa3000 rw-p 00001000 03:01 475359     /lib/tls/libdl-2.3.6.so
a7fa6000-a7fa7000 rw-p a7fa6000 00:00 0
a7fa7000-a7fab000 r-xp 00000000 03:01 2298574    /usr/lib/perl/5.8.8/auto/IO/IO.so
a7fab000-a7fac000 rw-p 00003000 03:01 2298574    /usr/lib/perl/5.8.8/auto/IO/IO.so
a7fac000-a7fae000 rw-p a7fac000 00:00 0
a7fae000-a7fc3000 r-xp 00000000 03:01 690921     /lib/ld-2.3.6.so
a7fc3000-a7fc5000 rw-p 00015000 03:01 690921     /lib/ld-2.3.6.so
afead000-afec0000 rwxp afead000 00:00 0          [stack]
afec0000-afec3000 rw-p afec0000 00:00 0
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]

shopping:/proc/6455# more status
Name:   perl
State:  R (running)
SleepAVG:       35%
Tgid:   6455
Pid:    6455
PPid:   1
TracerPid:      0
Uid:    33      33      33      33
Gid:    33      33      33      33
FDSize: 32
Groups: 33
VmPeak:     9772 kB
VmSize:     9768 kB
VmLck:         0 kB
VmHWM:      7292 kB
VmRSS:      7288 kB
VmData:     6268 kB
VmStk:        88 kB
VmExe:      1024 kB
VmLib:      2276 kB
VmPTE:        16 kB
Threads:        1
SigQ:   0/2552
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000015083
SigCgt: 0000000180000000
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000

shopping:/proc/6455# ls /
bin     dev     initrd.img        Mandarin.fre.pag  root           srv      usr
boot    etc     initrd.img.old    media             sbin           sys      var
cdrom   floppy  lib               mnt               selinux        tmp      vmlinuz
cdrom0  home    lost+found        opt               software       tmp-old  vmlinuz.old
data    initrd  Mandarin.fre.dir  proc              software-back  tmpvar

shopping:/proc/6455# more cmdline
ping222x


shopping:/proc/6455# find / -name "*ping222x*"
find: /proc/13005/task: No such file or directory
find: /proc/13005/fd: No such file or directory
find: /proc/6443/task: No such file or directory
find: /proc/6443/fd: No such file or directory


shopping:/var/log/apache2# grep "*ping222x" access.log
shopping:/var/log/apache2# grep "*ping222x*" access.log
shopping:/var/log/apache2# grep "*ping2*" access.log

# ls -l /usr/bin/perl
-rwxr-xr-x 2 root root 1061700 2006-12-06 18:30 /usr/bin/perl


shopping:/# apt-cache policy perl
perl:
  Installed: 5.8.8-7
  Candidate: 5.8.8-7etch1
  Version table:
     5.8.8-7etch1 0
        999 http://mirrors.kernel.org stable/main Packages
        999 http://security.debian.org stable/updates/main Packages
 *** 5.8.8-7 0
        100 /var/lib/dpkg/status


the /usr/bin/perl is not the latest stable one. but it seems not corrupt, since I can run perl -v etc and other perl scripts. and can not find these ping222x file. anyway I will update it to see what will  happen.

     I got the core dump file of ping222x ( with pid 766).
     bvi core.766, search around , could not find the path, only something like:

0010F518  0B 00 00 00 00 01 30 00 9C 00 00 00 08 21 03 00 70 69 6E 67 ......0......!..ping
0010F52C  32 32 32 78 DE 00 00 00 29 00 00 00 E8 A0 17 08 00 00 00 00 222x....)...........

     it seems the ping222x exploit something, and  load script from memory?? not from file? or it delete file after loading??

     the ping222x can be killed only after serveral attempts of kill -9. see below.

shopping:~# ps -ef | grep ping
www-data  6455     1 29 20:53 ?        00:07:53 ping222x
root      8882 31632  0 21:20 pts/1    00:00:00 grep ping
shopping:~# kill -9 6455
shopping:~# ps -ef | grep ping
root      8890 31632  0 21:20 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
www-data  8891  8887 28 21:20 ?        00:00:00 ping222x
www-data  8893  8891  0 21:20 ?        00:00:00 ping222x
root      8898 31632  0 21:20 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
www-data  8893     1 27 21:20 ?        00:00:03 ping222x
root      8915 31632  0 21:20 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep 8887
www-data  8887   709  0 21:20 ?        00:00:00 [sh] <defunct>
root      8937 31632  0 21:20 pts/1    00:00:00 grep 8887
shopping:~# ps -ef | grep 709
www-data   709  4059  0 19:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  8887   709  0 21:20 ?        00:00:00 [sh] <defunct>
root      8948 31632  0 21:21 pts/1    00:00:00 grep 709
shopping:~# ps -ef | grep ping
www-data  8893     1 35 21:20 ?        00:00:24 ping222x
root      8959 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# kill -9 8893
shopping:~# ps -ef | grep ping
root      8971 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      8979 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      8990 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      8992 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      8994 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      9002 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      9005 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      9009 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      9011 31632  0 21:21 pts/1    00:00:00 grep ping
shopping:~# ps -ef | grep ping
root      9013 31632  0 21:21 pts/1    00:00:00 grep ping


     Also I put strace here again ( I did not put the reply-all in the second e-mail, so the part was missing in the mailing list.).

shopping:~# strace -p 6455
Process 6455 attached - interrupt to quit
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
connect(17, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr(" 216.31.27.42")}, 16) = -1 EACCES (Permission denied)
close(17)                               = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
connect(17, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr("216.31.27.42")}, 16) = -1 EACCES (Permission denied)
close(17)                               = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/protocols", O_RDONLY)        = 17
fcntl64(17, F_GETFD)                    = 0
fcntl64(17, F_SETFD, FD_CLOEXEC)        = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17)                               = 0
munmap(0xa7fa6000, 4096)                = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/protocols", O_RDONLY)        = 17





On Dec 30, 2007 8:25 PM, Bernd Eckenfels < ecki@lina.inka.de> wrote:
In article < 91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com">91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com> you wrote:
> www-data 16848     1 14 14:01 ?        00:06:07 ping22

Looks like it is started from Apache, most likely a CGI. Have a look at CWD
of that process or look into the access log.

Gruss
Bernd


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org




--
Best Regards

Mike
Reply to: