Re: Another thread about a non-killable process
On Tuesday 11 July 2006 11:56, heba wrote:
> 2006/7/11, Joshua J. Kugler <joshua@eeinternet.com>:
> > OK, so I understand you can't kill a process in a 'D' state. That makes
> > sense.
> >
> > But, why can't you kill a process in state 'R'?
> >
> > This is what ps aux shows:
> >
> > ftp 899 64.9 0.2 4164 2216 ? RNs Jun12 27137:59 proftpd:
> > (accepting connections)
> >
> > BTW, top shows that process taking 100% CPU.
> >
> > Hmm...proftpd, oddly enough (as was the subject of the other recent
> > thread). Plain kill won't work. Kill -9 will not kill it. Right now, I
> > have it set at the lowest possible priority, until I get a chance to
> > reboot the machine, but is there anyway to kill an 'R' process when kill
> > -9 won't work?
> >
> > j
>
> seems a w32 or perhaps a backdoor seen the process run to ftp.
Win32? Huh? This is a Debian system. Proftpd is locked (won't accept
connections, even though it shows listening on *:ftp.
This is what top shows:
899 ftp 39 19 4164 2216 3460 R 98.4 0.2 27190:02 proftpd
Output of lsof|grep proftpd
proftpd 899 ftp cwd DIR 9,1 4096 2 /
proftpd 899 ftp rtd DIR 9,1 4096 2 /
proftpd 899 ftp txt REG 9,1 568812
501112 /usr/sbin/proftpd
proftpd 899 ftp mem REG 9,1 90248
646521 /lib/ld-2.3.2.so
proftpd 899 ftp mem REG 9,1 18876
646565 /lib/tls/libcrypt-2.3.2.so
proftpd 899 ftp mem REG 9,1 11024
646488 /lib/libcap.so.1.10
proftpd 899 ftp mem REG 9,1 28880
646421 /lib/libwrap.so.0.7.6
proftpd 899 ftp mem REG 9,1 73304
646569 /lib/tls/libnsl-2.3.2.so
proftpd 899 ftp mem REG 9,1 198576
486306 /usr/lib/i686/cmov/libssl.so.0.9.7
proftpd 899 ftp mem REG 9,1 1029672
486305 /usr/lib/i686/cmov/libcrypto.so.0.9.7
proftpd 899 ftp mem REG 9,1 30360
646516 /lib/libpam.so.0.76
proftpd 899 ftp mem REG 9,1 1254468
646564 /lib/tls/libc-2.3.2.so
proftpd 899 ftp mem REG 9,1 9872
646566 /lib/tls/libdl-2.3.2.so
proftpd 899 ftp mem REG 9,1 34748
646572 /lib/tls/libnss_files-2.3.2.so
proftpd 899 ftp mem REG 9,1 28616
646570 /lib/tls/libnss_compat-2.3.2.so
proftpd 899 ftp mem REG 9,1 33440
646574 /lib/tls/libnss_nis-2.3.2.so
proftpd 899 ftp mem REG 9,1 13976
646571 /lib/tls/libnss_dns-2.3.2.so
proftpd 899 ftp mem REG 9,1 64924
646578 /lib/tls/libresolv-2.3.2.so
proftpd 899 ftp 0u IPv4 2776 TCP *:ftp
(LISTEN)
proftpd 899 ftp 1uW REG 9,2 1056
670463 /var/run/proftpd/proftpd.scoreboard
proftpd 899 ftp 4r REG 9,1 1248
586047 /etc/group
So, if it's a back door, it's really good at opening all the right files to
look the the real thing.
j
--
Joshua Kugler
Lead System Admin -- Senior Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE
PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111
Reply to: