Re: ping22: can not kill this process

To: debian-security@lists.debian.org
Subject: Re: ping22: can not kill this process
From: Bill Marcum - New Address! <marcumbill@bellsouth.net>
Date: Sun, 30 Dec 2007 19:39:11 -0500
Message-id: <[🔎] 20071231003911.GA6639@lark.localnet>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com>
References: <[🔎] 91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com>

On Sun, Dec 30, 2007 at 02:59:33PM -0500, Mike Wang wrote:
> Hi
>       Recently one of my web server was invaded by something called ping22.
> it obviously  exploited some perl cgi or php holes on this apache2 server.
> But I do not how it is get exploited.
> 
> (1) tried to kill -9 it, it is respawn again automatically.
> 
> # ps -ef | grep ping22
> www-data 16848     1 14 14:01 ?        00:06:07 ping22
> root     18881 30331  0 14:43 pts/0    00:00:00 grep ping22
> 
> how can I kill it?
> 
> (2)
> And  from /proc/16848, the cmdline shows ping22. and
> lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl
> 
> tried to find / -name "*ping22*", can not find the file. How is ping22 get
> started?
> 
Either it is a perl script, or /usr/bin/perl has been corrupted.

Reply to:

References:
- ping22: can not kill this process
  - From: "Mike Wang" <comritesecurity@gmail.com>

Prev by Date: Re: ping22: can not kill this process
Next by Date: Re: ping22: can not kill this process
Previous by thread: Re: ping22: can not kill this process
Next by thread: Re: ping22: can not kill this process
Index(es):
- Date
- Thread