[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ping22: can not kill this process


Am Montag, 31. Dezember 2007 schrieb Mike Wang:
> hi
>      Now this ping2 comes back, this time as ping222x. Yah it must come in
> by exploiting perl or php cgi. the running user is www-data.

This implies some things (likely):
1. The system (as whole), has not been comprimised. All corruption can be 
limited to things www-data has access to.

If so, root privilges would have been acquired and ping222x would be hidden, 
executed as root, etc. (There is a slight chance that the binary drops its 
privileges down to www-data as an act of deception, but there are better ways 
for deception/hiding if root-privileges are gained)

2. The respawing binary has to be kept somewhere. A few explainations are 
a) It is kept in ram or memory and respawns by some kind of helper applcation. 
If so, and above statement is true, either a runnig "spawn"-helper a process 
(run by www-data or some users with less priviliges www-data is allowed to su 
to, eg "nobody" / 65534) ought to be visible, or there are any cron-jobs, 
at-Commands installed by www-data.
b) It is respawned by a corrupted cgi-script there ought to be traces in some 
cgi-Scripts. Diff 'em to your backups.
c) "a) is true" does not imply "b is false": If a respawn-helper is used, 
corrupted cgis are also possible.

In order to exclude a) you can shut down your apache for a moment and look if 
ping22 is able to respawn.

Keep smiling

Reply to: