ping22: can not kill this process
Hi
Recently one of my web server was invaded by something called ping22. it obviously exploited some perl cgi or php holes on this apache2 server. But I do not how it is get exploited.
(1) tried to kill -9 it, it is respawn again automatically.
# ps -ef | grep ping22
www-data 16848 1 14 14:01 ? 00:06:07 ping22
root 18881 30331 0 14:43 pts/0 00:00:00 grep ping22
how can I kill it?
(2)
And from /proc/16848, the cmdline shows ping22. and
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl
tried to find / -name "*ping22*", can not find the file. How is ping22 get started?
(3) the kern.log showed, this ping22 seems has something to do irc.
Dec 30 14:55:50 kernel: audit(1199044550.571:589724): avc: denied { name_connect } for pid=16848 comm="perl" dest=6667 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket
Any one has a idea of this ping22?
thanks .
Mike
Reply to: