Re: ping22: can not kill this process
Am Montag, 31. Dezember 2007 schrieb Mike Wang:
> Now this ping2 comes back, this time as ping222x. Yah it must come in
> by exploiting perl or php cgi. the running user is www-data.
This implies some things (likely):
1. The system (as whole), has not been comprimised. All corruption can be
limited to things www-data has access to.
If so, root privilges would have been acquired and ping222x would be hidden,
executed as root, etc. (There is a slight chance that the binary drops its
privileges down to www-data as an act of deception, but there are better ways
for deception/hiding if root-privileges are gained)
2. The respawing binary has to be kept somewhere. A few explainations are
a) It is kept in ram or memory and respawns by some kind of helper applcation.
If so, and above statement is true, either a runnig "spawn"-helper a process
(run by www-data or some users with less priviliges www-data is allowed to su
to, eg "nobody" / 65534) ought to be visible, or there are any cron-jobs,
at-Commands installed by www-data.
b) It is respawned by a corrupted cgi-script there ought to be traces in some
cgi-Scripts. Diff 'em to your backups.
c) "a) is true" does not imply "b is false": If a respawn-helper is used,
corrupted cgis are also possible.
In order to exclude a) you can shut down your apache for a moment and look if
ping22 is able to respawn.