Mike Wang wrote:
> Hi edwin
Hi Mike,
[btw did you mean to cc the debian-security mailing list, or you want to
keep this conversation private?]
>
> the pstree and ps showed the parent is 1 ( init)
>
> tried kill -9 again, this time is got killed. strange!
Maybe because you rebooted and enabled selinux?
Try running chkrootkit, and rkhunter, maybe you'll find something.
> I tried to kill it serveral times before. here is the previous
> screen capture.
I believe you tried ;)
> shopping:/# ps -ef | grep ping
> www-data 16430 1 12 13:56 ? 00:00:00 ping22
> root 16522 30331 0 13:56 pts/0 00:00:00 grep ping
> shopping:/# kill -9 16430
> shopping:/# ps -ef | grep ping
> www-data 16848 1 16 14:01 ? 00:00:00 ping22
> root 16851 30331 0 14:01 pts/0 00:00:00 grep ping
>
> the ping22 may be come back in the future. I'm recently
> troubled by this ping22. when it was there, I even could not login
> from the console except I reboot the machine.
>
> And After I put the SELinux there ( put some rules there), the
> harm is mitigated, since SElinux do not allow it to do {
> name_connect } .
>
> Dec 30 15:12:00 shopping kernel: audit(
1199045520.032:629753): avc:
> denied { name_connect } for pid=16848 comm="perl" dest=6667
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket
>
> The better way seems need to find how this ping22 get started
> in the first place.
Yes.
> from the apache2 access.log I seems could not find it.( I am
> not an expert on this) , and I could not find the ping22 file.
>
>
> Also I did the strace for this before, not sure if it can help
> to find what is ping22.
>
> sin_addr=inet_addr("
68.87.64.146 <http://68.87.64.146>")}, [16]) = 49
Assuming this is your DNS.
> connect(20, {sa_family=AF_INET, sin_port=htons(6667),
> sin_addr=inet_addr("217.141.180.221 <http://217.141.180.221>")}, 16) =
> -1 EACCES (Permission denied)
> send(20, "M+\1\0\0\1\0\0\0\0\0\0\3irc\7ircgate\3net\0\0\1\0"..., 33,
> 0) = 33
It seems to be connecting to irc.ircgate.net
, maybe some irc bot. You
could temporarely add it to your hosts file, and set up netcat on a
machine in your LAN.
Then see what it is sending.
While it is running, try to see what filedescriptors it has open in
/proc/<PID>/fd, maybe it still has the original file (ping22), and you
can dump it to see what it does.
Another possibility would be to attach to the running ping22 (perl), and
tell it to core-dump (after enabling ulimit -c unlimited).
Then open the core dump with a hexeditor (or vi), and look for a perl
file inside.
Best regards,
--Edwin