ping22: can not kill this process

To: debian-security@lists.debian.org
Subject: ping22: can not kill this process
From: "Mike Wang" <comritesecurity@gmail.com>
Date: Sun, 30 Dec 2007 14:59:33 -0500
Message-id: <[🔎] 91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com>

Hi
      Recently one of my web server was invaded by something called ping22. it obviously exploited some perl cgi or php holes on this apache2 server. But I do not how it is get exploited.

(1) tried to kill -9 it, it is respawn again automatically.

# ps -ef | grep ping22
www-data 16848     1 14 14:01 ?        00:06:07 ping22
root     18881 30331 0 14:43 pts/0    00:00:00 grep ping22

how can I kill it?

(2)
And from /proc/16848, the cmdline shows ping22. and
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl

tried to find / -name "*ping22*", can not find the file. How is ping22 get started?

(3) the kern.log showed, this ping22 seems has something to do irc.

Dec 30 14:55:50 kernel: audit(1199044550.571:589724): avc: denied { name_connect } for pid=16848 comm="perl" dest=6667 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket

Any one has a idea of this ping22?

thanks .

Mike

Reply to:

Follow-Ups:
- Re: ping22: can not kill this process
  - From: Török Edwin <edwintorok@gmail.com>
- Re: ping22: can not kill this process
  - From: Bill Marcum - New Address! <marcumbill@bellsouth.net>
- Re: ping22: can not kill this process
  - From: Bernd Eckenfels <ecki@lina.inka.de>

Prev by Date: Re: (CVE-2007-0855) Preparation of the next stable Debian GNU/Linux update
Next by Date: Re: ping22: can not kill this process
Previous by thread: Re: (CVE-2007-0855) Preparation of the next stable Debian GNU/Linux update
Next by thread: Re: ping22: can not kill this process
Index(es):
- Date
- Thread