[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Another thread about a non-killable process

On Tuesday 11 July 2006 11:56, heba wrote:
> 2006/7/11, Joshua J. Kugler <joshua@eeinternet.com>:
> > OK, so I understand you can't kill a process in a 'D' state.  That makes
> > sense.
> >
> > But, why can't you kill a process in state 'R'?
> >
> > This is what ps aux shows:
> >
> > ftp        899 64.9  0.2  4164 2216 ?        RNs  Jun12 27137:59 proftpd:
> > (accepting connections)
> >
> > BTW, top shows that process taking 100% CPU.
> >
> > Hmm...proftpd, oddly enough (as was the subject of the other recent
> > thread). Plain kill won't work.  Kill -9 will not kill it.  Right now, I
> > have it set at the lowest possible priority, until I get a chance to
> > reboot the machine, but is there anyway to kill an 'R' process when kill
> > -9 won't work?
> >
> > j
>
> seems a w32 or perhaps a backdoor seen the process run to ftp.

Win32?  Huh?  This is a Debian system.  Proftpd is locked (won't accept 
connections, even though it shows listening on *:ftp.

This is what top shows:

  899 ftp       39  19  4164 2216 3460 R 98.4  0.2  27190:02 proftpd

Output of lsof|grep proftpd

proftpd     899      ftp  cwd       DIR        9,1     4096          2 /
proftpd     899      ftp  rtd       DIR        9,1     4096          2 /
proftpd     899      ftp  txt       REG        9,1   568812     
501112 /usr/sbin/proftpd
proftpd     899      ftp  mem       REG        9,1    90248     
646521 /lib/ld-2.3.2.so
proftpd     899      ftp  mem       REG        9,1    18876     
646565 /lib/tls/libcrypt-2.3.2.so
proftpd     899      ftp  mem       REG        9,1    11024     
646488 /lib/libcap.so.1.10
proftpd     899      ftp  mem       REG        9,1    28880     
646421 /lib/libwrap.so.0.7.6
proftpd     899      ftp  mem       REG        9,1    73304     
646569 /lib/tls/libnsl-2.3.2.so
proftpd     899      ftp  mem       REG        9,1   198576     
486306 /usr/lib/i686/cmov/libssl.so.0.9.7
proftpd     899      ftp  mem       REG        9,1  1029672     
486305 /usr/lib/i686/cmov/libcrypto.so.0.9.7
proftpd     899      ftp  mem       REG        9,1    30360     
646516 /lib/libpam.so.0.76
proftpd     899      ftp  mem       REG        9,1  1254468     
646564 /lib/tls/libc-2.3.2.so
proftpd     899      ftp  mem       REG        9,1     9872     
646566 /lib/tls/libdl-2.3.2.so
proftpd     899      ftp  mem       REG        9,1    34748     
646572 /lib/tls/libnss_files-2.3.2.so
proftpd     899      ftp  mem       REG        9,1    28616     
646570 /lib/tls/libnss_compat-2.3.2.so
proftpd     899      ftp  mem       REG        9,1    33440     
646574 /lib/tls/libnss_nis-2.3.2.so
proftpd     899      ftp  mem       REG        9,1    13976     
646571 /lib/tls/libnss_dns-2.3.2.so
proftpd     899      ftp  mem       REG        9,1    64924     
646578 /lib/tls/libresolv-2.3.2.so
proftpd     899      ftp    0u     IPv4       2776                 TCP *:ftp 
(LISTEN)
proftpd     899      ftp    1uW     REG        9,2     1056     
670463 /var/run/proftpd/proftpd.scoreboard
proftpd     899      ftp    4r      REG        9,1     1248     
586047 /etc/group

So, if it's a back door, it's really good at opening all the right files to 
look the the real thing.

j

-- 
Joshua Kugler                           
Lead System Admin -- Senior Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0xDB26D7CE
PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111
Reply to: