Hello, Am Montag, 31. Dezember 2007 schrieb Mike Wang: > hi > Now this ping2 comes back, this time as ping222x. Yah it must come in > by exploiting perl or php cgi. the running user is www-data. >
This implies some things (likely): 1. The system (as whole), has not been comprimised. All corruption can be limited to things www-data has access to. If so, root privilges would have been acquired and ping222x would be hidden, executed as root, etc. (There is a slight chance that the binary drops its privileges down to www-data as an act of deception, but there are better ways for deception/hiding if root-privileges are gained) 2. The respawing binary has to be kept somewhere. A few explainations are possible: a) It is kept in ram or memory and respawns by some kind of helper applcation. If so, and above statement is true, either a runnig "spawn"-helper a process (run by www-data or some users with less priviliges www-data is allowed to su to, eg "nobody" / 65534) ought to be visible, or there are any cron-jobs, at-Commands installed by www-data. b) It is respawned by a corrupted cgi-script there ought to be traces in some cgi-Scripts. Diff 'em to your backups. c) "a) is true" does not imply "b is false": If a respawn-helper is used, corrupted cgis are also possible. In order to exclude a) you can shut down your apache for a moment and look if ping22 is able to respawn. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]