www.lipoaspirasion.com.ar
Please see this site in Subject
Re: ping22: can not kill this process
hi Now this ping2 comes back, this time as ping222x. Yah it must come in by exploiting perl or php cgi. the running user is www-data. shopping:~# ps -ef | grep ping www-data 766 1 31 19:35 ?00:24:46 ping222x root 6419 31632 0 20:53 pts/100:00:00 grep ping shopping:~# kill -9 766 shopping:~# ps -ef | grep ping www-data 6455 1 32 20:53 ?00:00:11 ping222x root 6479 30331 0 20:54 pts/000:00:00 grep ping after kill -9 it, in a few seconds, it is back. I went to: /proc/6455: shopping:/proc/6455# ls -l total 0 dr-xr-xr-x 2 www-data www-data 0 2007-12-30 20:57 attr -r 1 www-data www-data 0 2007-12-30 20:57 auxv -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 cmdline lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 cwd -> / -r 1 www-data www-data 0 2007-12-30 20:57 environ lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 exe -> /usr/bin/perl dr-x-- 2 www-data www-data 0 2007-12-30 20:57 fd -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 maps -rw--- 1 www-data www-data 0 2007-12-30 20:57 mem -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 mounts -rw-r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_adj -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_score lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 root -> / -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 smaps -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 stat -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 statm -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 status dr-xr-xr-x 3 www-data www-data 0 2007-12-30 20:57 task -r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 wchan shopping:/proc/6455# lsof -p 6455 COMMAND PID USER FD TYPE DEVICESIZENODE NAME perl6455 www-data cwdDIR3,14096 2 / perl6455 www-data rtdDIR3,14096 2 / perl6455 www-data txtREG3,1 1061700 458854 /usr/bin/perl perl6455 www-data memREG3,1 679624 540729 /usr/lib/libdb3.so.3.0.2 perl6455 www-data memREG3,1 42472 475365 /lib/tls/libnss_files-2.3.6.so perl6455 www-data memREG3,1 15316 688142 /lib/libnss_db- 2.2.so perl6455 www-data memREG3,1 19764 2298586 /usr/lib/perl/5.8.8/auto/Socket/Socket.so perl6455 www-data memREG3,1 21872 475358 /lib/tls/libcrypt- 2.3.6.so perl6455 www-data memREG3,1 1270928 475356 /lib/tls/libc- 2.3.6.so perl6455 www-data memREG3,1 85770 475370 /lib/tls/libpthread-2.3.6.so perl6455 www-data memREG3,1 149264 475360 /lib/tls/libm- 2.3.6.so perl6455 www-data memREG3,19592 475359 /lib/tls/libdl- 2.3.6.so perl6455 www-data memREG3,1 15640 2298574 /usr/lib/perl/5.8.8/auto/IO/IO.so perl6455 www-data memREG3,1 92260 690921 /lib/ld-2.3.6.so perl6455 www-data0r CHR1,31197 /dev/null perl6455 www-data1w FIFO0,5 2746544 pipe perl6455 www-data2w REG 3,67 3309106 2469237 /var/log/apache2/error.log perl6455 www-data3r CHR1,92138 /dev/urandom perl6455 www-data4u IPv4 11236 TCP *:9090 (LISTEN) perl6455 www-data5u IPv4 11238 TCP *:9898 (LISTEN) perl6455 www-data6u IPv4 11240 TCP *:www (LISTEN) perl6455 www-data7r FIFO0,5 184347 pipe perl6455 www-data8w FIFO0,5 184347 pipe perl6455 www-data9w REG 3,67 3309106 2469237 /var/log/apache2/error.log perl6455 www-data 10w REG 3,67 3647817 2469238 /var/log/apache2/access.log perl6455 www-data 11w REG 3,67 3647817 2469238 /var/log/apache2/access.log perl6455 www-data 12r FIFO0,5 184493 pipe perl6455 www-data 13w FIFO0,5 184493 pipe perl6455 www-data 14r FIFO0,5 184494 pipe perl6455 www-data 15w FIFO0,5 184494 pipe perl6455 www-data 16u sock0,4 2238051 can't identify protocol shopping:/proc/6455# more maps 08048000-08148000 r-xp 03:01 458854 /usr/bin/perl 08148000-0814c000 rw-p 000ff000 03:01 458854 /usr/bin/perl 0814c000-0855b000 rw-p 0814c000 00:00 0 [heap] a7d17000-a7dbd000 r-xp 03:01 540729 /usr/lib/libdb3.so.3.0.2 a7dbd000-a7dbe000 rw-p 000a5000 03:01 540729 /usr/lib/libdb3.so.3.0.2 a7dbe000-a7dc8000 r-xp 03:01 475365 /lib/tls/libnss_files- 2.3.6.so a7dc8000-a7dca000 rw-p 9000 03:01 475365 /lib/tls/libnss_files- 2.3.6.so a7dca000-a7dce000 r-xp 03:01 688142 /lib/libnss_db-2.2.so a7dce000-a7dcf000 rw-p 3000 03:01 688142 /lib/libnss_db-2.2.so a7dd8000-a7ddd000 r-xp 03:01 2298586 /usr/lib/perl/5.8.8/auto/Socket/Socket.so a7ddd000-a7dde000 rw-p 4000 03:01 2298586 /usr/lib/perl/5.8.8/auto/Socket/Socket.so a7dde000-a7e01000 rw-p a7dde000 00:00 0 a7e01000-a7e06000 r-xp 03:01 47
Re: ping22: can not kill this process
In article <[EMAIL PROTECTED]> you wrote: > www-data 16848 1 14 14:01 ?00:06:07 ping22 Looks like it is started from Apache, most likely a CGI. Have a look at CWD of that process or look into the access log. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ping22: can not kill this process
On Sun, Dec 30, 2007 at 02:59:33PM -0500, Mike Wang wrote: > Hi > Recently one of my web server was invaded by something called ping22. > it obviously exploited some perl cgi or php holes on this apache2 server. > But I do not how it is get exploited. > > (1) tried to kill -9 it, it is respawn again automatically. > > # ps -ef | grep ping22 > www-data 16848 1 14 14:01 ?00:06:07 ping22 > root 18881 30331 0 14:43 pts/000:00:00 grep ping22 > > how can I kill it? > > (2) > And from /proc/16848, the cmdline shows ping22. and > lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl > > tried to find / -name "*ping22*", can not find the file. How is ping22 get > started? > Either it is a perl script, or /usr/bin/perl has been corrupted. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ping22: can not kill this process
Hi Edwin
Sorry I forget to reply-all. thanks a lot for the detailed
information.
chkrootkit/rkhunter seems ok, only three of them not ok:
shopping:/proc# chkrootkit
shopping:/proc# rkhunter --checkall --skip-keypress
* Application version scan
- Exim MTA 3.36[ OK ]
- GnuPG 1.2.4 [ Old or
patched version ]
- OpenSSL 0.9.7e [ Old or
patched version ]
- PHP 4.4.4[ Unknown ]
the ping22 came after I reboot the machine, enabled SELinux. I only
enable apache.pp mysql.pp, my locale.pp at this time.
shopping:/proc# semodule -l
apache 1.4.0
local 1.0
mysql 1.3.0
my locale.te may not be good, I rushed to enable SELinux only at
yesterday. I guess with a good SELinux rules it should be able to constrain
the ping22 even to run.
allow fsadm_t self:process execmem;
allow hostname_t var_run_t:dir search;
allow httpd_t dict_port_t:tcp_socket name_connect;
allow httpd_t http_cache_port_t:tcp_socket name_connect;
allow httpd_t http_port_t:tcp_socket name_connect;
allow httpd_t httpd_sys_content_t:file { setattr write };
allow httpd_t httpd_sys_script_exec_t:dir { getattr read search };
allow httpd_t httpd_sys_script_exec_t:file { execute execute_no_trans
getattr ioctl read };
allow httpd_t self:process { execmem execstack };
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t man_t:dir { getattr search };
allow httpd_t man_t:file { getattr lock read };
allow httpd_t man_t:lnk_file read;
allow httpd_t port_t:tcp_socket { name_bind name_connect };
allow httpd_t proc_net_t:dir search;
allow httpd_t proc_net_t:file { getattr read };
allow httpd_t shell_exec_t:file { execute execute_no_trans getattr read };
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t unlabeled_t:dir { getattr search };
allow httpd_t unlabeled_t:file { getattr read };
allow httpd_t var_lib_t:dir setattr;
allow httpd_t var_log_t:file { append getattr };
allow httpd_t var_spool_t:dir { add_name remove_name write };
allow httpd_t var_spool_t:file { append create getattr lock read rename
setattr unlink write };
allow httpd_t var_t:dir read;
allow httpd_t var_t:file { getattr read };
allow hwclock_t tmpfs_t:dir search;
allow iptables_t self:process { execmem execstack };
allow iptables_t var_lib_t:dir search;
allow mount_t initrc_var_run_t:dir { getattr mounton };
allow mysqld_t default_t:dir { add_name getattr read search write };
allow mysqld_t default_t:file { create getattr read write };
allow mysqld_t httpd_sys_script_exec_t:dir { getattr search };
allow syslogd_t device_t:fifo_file { ioctl read write };
allow syslogd_t self:process { execmem execstack };
allow syslogd_t var_lib_t:dir search;
68.87.64.146 is not my ip.
since I killed that ping22, I can not do the coredump at this time. I
remembered I check the proc//fd, there is nothing ping22, and also did
lsof, could not find ping22.
For now I will keep the SELinux locale.t as it is, hope ping22 will exploit
my machine again, then I will try to get something as you suggested, and
keep it posted on the mailing list.
regards.
Mike
On Dec 30, 2007 3:54 PM, Török Edwin <[EMAIL PROTECTED]> wrote:
> Mike Wang wrote:
> > Hi edwin
>
> Hi Mike,
> [btw did you mean to cc the debian-security mailing list, or you want to
> keep this conversation private?]
>
> >
> >the pstree and ps showed the parent is 1 ( init)
> >
> >tried kill -9 again, this time is got killed. strange!
>
> Maybe because you rebooted and enabled selinux?
> Try running chkrootkit, and rkhunter, maybe you'll find something.
>
> >I tried to kill it serveral times before. here is the previous
> > screen capture.
>
> I believe you tried ;)
>
> > shopping:/# ps -ef | grep ping
> > www-data 16430 1 12 13:56 ?00:00:00 ping22
> > root 16522 30331 0 13:56 pts/000:00:00 grep ping
> > shopping:/# kill -9 16430
> > shopping:/# ps -ef | grep ping
> > www-data 16848 1 16 14:01 ?00:00:00 ping22
> > root 16851 30331 0 14:01 pts/000:00:00 grep ping
> >
> > the ping22 may be come back in the future. I'm recently
> > troubled by this ping22. when it was there, I even could not login
> > from the console except I reboot the machine.
> >
> >And After I put the SELinux there ( put some rules there), the
> > harm is mitigated, since SElinux do not allow it to do {
> > name_connect } .
> >
> > Dec 30 15:12:00 shopping kernel: audit(1199045520.032:629753): avc:
> > denied { name_connect } for pid=16848 comm="perl" dest=6667
> > scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket
> >
> > The better way seems need to find how this ping22 get started
> > in the first place.
>
> Yes.
>
> > from the apache2 access.log I seems could not find it.( I am
> > not an expert
Re: ping22: can not kill this process
Mike Wang wrote: > Hi > Recently one of my web server was invaded by something called > ping22. it obviously exploited some perl cgi or php holes on this > apache2 server. But I do not how it is get exploited. > > (1) tried to kill -9 it, it is respawn again automatically. > respawn by whom? Try to use pstree to find out. Best regards, --Edwin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ping22: can not kill this process
Hi
Recently one of my web server was invaded by something called ping22.
it obviously exploited some perl cgi or php holes on this apache2 server.
But I do not how it is get exploited.
(1) tried to kill -9 it, it is respawn again automatically.
# ps -ef | grep ping22
www-data 16848 1 14 14:01 ?00:06:07 ping22
root 18881 30331 0 14:43 pts/000:00:00 grep ping22
how can I kill it?
(2)
And from /proc/16848, the cmdline shows ping22. and
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl
tried to find / -name "*ping22*", can not find the file. How is ping22 get
started?
(3) the kern.log showed, this ping22 seems has something to do irc.
Dec 30 14:55:50 kernel: audit(1199044550.571:589724): avc: denied {
name_connect } for pid=16848 comm="perl" dest=6667
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket
Any one has a idea of this ping22?
thanks .
Mike
