hi
Now this ping2 comes back, this time as ping222x. Yah it must come in
by exploiting perl or php cgi. the running user is www-data.
shopping:~# ps -ef | grep ping
www-data 766 1 31 19:35 ? 00:24:46 ping222x
root 6419 31632 0 20:53 pts/1 00:00:00 grep ping
shopping:~# kill -9 766
shopping:~# ps -ef | grep ping
www-data 6455 1 32 20:53 ? 00:00:11 ping222x
root 6479 30331 0 20:54 pts/0 00:00:00 grep ping
after kill -9 it, in a few seconds, it is back.
I went to: /proc/6455:
shopping:/proc/6455# ls -l
total 0
dr-xr-xr-x 2 www-data www-data 0 2007-12-30 20:57 attr
-r-------- 1 www-data www-data 0 2007-12-30 20:57 auxv
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 cmdline
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 cwd -> /
-r-------- 1 www-data www-data 0 2007-12-30 20:57 environ
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 exe -> /usr/bin/perl
dr-x------ 2 www-data www-data 0 2007-12-30 20:57 fd
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 maps
-rw------- 1 www-data www-data 0 2007-12-30 20:57 mem
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 mounts
-rw-r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_adj
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 oom_score
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 20:57 root -> /
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 smaps
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 stat
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 statm
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 status
dr-xr-xr-x 3 www-data www-data 0 2007-12-30 20:57 task
-r--r--r-- 1 www-data www-data 0 2007-12-30 20:57 wchan
shopping:/proc/6455# lsof -p 6455
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 6455 www-data cwd DIR 3,1 4096 2 /
perl 6455 www-data rtd DIR 3,1 4096 2 /
perl 6455 www-data txt REG 3,1 1061700 458854 /usr/bin/perl
perl 6455 www-data mem REG 3,1 679624 540729
/usr/lib/libdb3.so.3.0.2
perl 6455 www-data mem REG 3,1 42472 475365
/lib/tls/libnss_files-2.3.6.so
perl 6455 www-data mem REG 3,1 15316 688142 /lib/libnss_db-
2.2.so
perl 6455 www-data mem REG 3,1 19764 2298586
/usr/lib/perl/5.8.8/auto/Socket/Socket.so
perl 6455 www-data mem REG 3,1 21872 475358 /lib/tls/libcrypt-
2.3.6.so
perl 6455 www-data mem REG 3,1 1270928 475356 /lib/tls/libc-
2.3.6.so
perl 6455 www-data mem REG 3,1 85770 475370
/lib/tls/libpthread-2.3.6.so
perl 6455 www-data mem REG 3,1 149264 475360 /lib/tls/libm-
2.3.6.so
perl 6455 www-data mem REG 3,1 9592 475359 /lib/tls/libdl-
2.3.6.so
perl 6455 www-data mem REG 3,1 15640 2298574
/usr/lib/perl/5.8.8/auto/IO/IO.so
perl 6455 www-data mem REG 3,1 92260 690921 /lib/ld-2.3.6.so
perl 6455 www-data 0r CHR 1,3 1197 /dev/null
perl 6455 www-data 1w FIFO 0,5 2746544 pipe
perl 6455 www-data 2w REG 3,67 3309106 2469237
/var/log/apache2/error.log
perl 6455 www-data 3r CHR 1,9 2138 /dev/urandom
perl 6455 www-data 4u IPv4 11236 TCP *:9090 (LISTEN)
perl 6455 www-data 5u IPv4 11238 TCP *:9898 (LISTEN)
perl 6455 www-data 6u IPv4 11240 TCP *:www (LISTEN)
perl 6455 www-data 7r FIFO 0,5 184347 pipe
perl 6455 www-data 8w FIFO 0,5 184347 pipe
perl 6455 www-data 9w REG 3,67 3309106 2469237
/var/log/apache2/error.log
perl 6455 www-data 10w REG 3,67 3647817 2469238
/var/log/apache2/access.log
perl 6455 www-data 11w REG 3,67 3647817 2469238
/var/log/apache2/access.log
perl 6455 www-data 12r FIFO 0,5 184493 pipe
perl 6455 www-data 13w FIFO 0,5 184493 pipe
perl 6455 www-data 14r FIFO 0,5 184494 pipe
perl 6455 www-data 15w FIFO 0,5 184494 pipe
perl 6455 www-data 16u sock 0,4 2238051 can't identify
protocol
shopping:/proc/6455# more maps
08048000-08148000 r-xp 00000000 03:01 458854 /usr/bin/perl
08148000-0814c000 rw-p 000ff000 03:01 458854 /usr/bin/perl
0814c000-0855b000 rw-p 0814c000 00:00 0 [heap]
a7d17000-a7dbd000 r-xp 00000000 03:01 540729 /usr/lib/libdb3.so.3.0.2
a7dbd000-a7dbe000 rw-p 000a5000 03:01 540729 /usr/lib/libdb3.so.3.0.2
a7dbe000-a7dc8000 r-xp 00000000 03:01 475365 /lib/tls/libnss_files-
2.3.6.so
a7dc8000-a7dca000 rw-p 00009000 03:01 475365 /lib/tls/libnss_files-
2.3.6.so
a7dca000-a7dce000 r-xp 00000000 03:01 688142 /lib/libnss_db-2.2.so
a7dce000-a7dcf000 rw-p 00003000 03:01 688142 /lib/libnss_db-2.2.so
a7dd8000-a7ddd000 r-xp 00000000 03:01 2298586
/usr/lib/perl/5.8.8/auto/Socket/Socket.so
a7ddd000-a7dde000 rw-p 00004000 03:01 2298586
/usr/lib/perl/5.8.8/auto/Socket/Socket.so
a7dde000-a7e01000 rw-p a7dde000 00:00 0
a7e01000-a7e06000 r-xp 00000000 03:01 475358 /lib/tls/libcrypt-2.3.6.so
a7e06000-a7e08000 rw-p 00004000 03:01 475358 /lib/tls/libcrypt-2.3.6.so
a7e08000-a7e2f000 rw-p a7e08000 00:00 0
a7e2f000-a7f5d000 r-xp 00000000 03:01 475356 /lib/tls/libc-2.3.6.so
a7f5d000-a7f62000 r--p 0012e000 03:01 475356 /lib/tls/libc-2.3.6.so
a7f62000-a7f65000 rw-p 00133000 03:01 475356 /lib/tls/libc-2.3.6.so
a7f65000-a7f67000 rw-p a7f65000 00:00 0
a7f67000-a7f75000 r-xp 00000000 03:01 475370 /lib/tls/libpthread-
2.3.6.so
a7f75000-a7f77000 rw-p 0000d000 03:01 475370 /lib/tls/libpthread-
2.3.6.so
a7f77000-a7f79000 rw-p a7f77000 00:00 0
a7f79000-a7f9d000 r-xp 00000000 03:01 475360 /lib/tls/libm-2.3.6.so
a7f9d000-a7f9f000 rw-p 00023000 03:01 475360 /lib/tls/libm-2.3.6.so
a7f9f000-a7fa1000 r-xp 00000000 03:01 475359 /lib/tls/libdl-2.3.6.so
a7fa1000-a7fa3000 rw-p 00001000 03:01 475359 /lib/tls/libdl-2.3.6.so
a7fa6000-a7fa7000 rw-p a7fa6000 00:00 0
a7fa7000-a7fab000 r-xp 00000000 03:01 2298574
/usr/lib/perl/5.8.8/auto/IO/IO.so
a7fab000-a7fac000 rw-p 00003000 03:01 2298574
/usr/lib/perl/5.8.8/auto/IO/IO.so
a7fac000-a7fae000 rw-p a7fac000 00:00 0
a7fae000-a7fc3000 r-xp 00000000 03:01 690921 /lib/ld-2.3.6.so
a7fc3000-a7fc5000 rw-p 00015000 03:01 690921 /lib/ld-2.3.6.so
afead000-afec0000 rwxp afead000 00:00 0 [stack]
afec0000-afec3000 rw-p afec0000 00:00 0
ffffe000-fffff000 ---p 00000000 00:00 0 [vdso]
shopping:/proc/6455# more status
Name: perl
State: R (running)
SleepAVG: 35%
Tgid: 6455
Pid: 6455
PPid: 1
TracerPid: 0
Uid: 33 33 33 33
Gid: 33 33 33 33
FDSize: 32
Groups: 33
VmPeak: 9772 kB
VmSize: 9768 kB
VmLck: 0 kB
VmHWM: 7292 kB
VmRSS: 7288 kB
VmData: 6268 kB
VmStk: 88 kB
VmExe: 1024 kB
VmLib: 2276 kB
VmPTE: 16 kB
Threads: 1
SigQ: 0/2552
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000015083
SigCgt: 0000000180000000
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
shopping:/proc/6455# ls /
bin dev initrd.img Mandarin.fre.pag root srv
usr
boot etc initrd.img.old media sbin sys
var
cdrom floppy lib mnt selinux tmp
vmlinuz
cdrom0 home lost+found opt software tmp-old
vmlinuz.old
data initrd Mandarin.fre.dir proc software-back tmpvar
shopping:/proc/6455# more cmdline
ping222x
shopping:/proc/6455# find / -name "*ping222x*"
find: /proc/13005/task: No such file or directory
find: /proc/13005/fd: No such file or directory
find: /proc/6443/task: No such file or directory
find: /proc/6443/fd: No such file or directory
shopping:/var/log/apache2# grep "*ping222x" access.log
shopping:/var/log/apache2# grep "*ping222x*" access.log
shopping:/var/log/apache2# grep "*ping2*" access.log
# ls -l /usr/bin/perl
-rwxr-xr-x 2 root root 1061700 2006-12-06 18:30 /usr/bin/perl
shopping:/# apt-cache policy perl
perl:
Installed: 5.8.8-7
Candidate: 5.8.8-7etch1
Version table:
5.8.8-7etch1 0
999 http://mirrors.kernel.org stable/main Packages
999 http://security.debian.org stable/updates/main Packages
*** 5.8.8-7 0
100 /var/lib/dpkg/status
the /usr/bin/perl is not the latest stable one. but it seems not corrupt,
since I can run perl -v etc and other perl scripts. and can not find these
ping222x file. anyway I will update it to see what will happen.
I got the core dump file of ping222x ( with pid 766).
bvi core.766, search around , could not find the path, only something
like:
0010F518 0B 00 00 00 00 01 30 00 9C 00 00 00 08 21 03 00 70 69 6E 67
......0......!..ping
0010F52C 32 32 32 78 DE 00 00 00 29 00 00 00 E8 A0 17 08 00 00 00 00
222x....)...........
it seems the ping222x exploit something, and load script from memory??
not from file? or it delete file after loading??
the ping222x can be killed only after serveral attempts of kill -9. see
below.
shopping:~# ps -ef | grep ping
www-data 6455 1 29 20:53 ? 00:07:53 ping222x
root 8882 31632 0 21:20 pts/1 00:00:00 grep ping
shopping:~# kill -9 6455
shopping:~# ps -ef | grep ping
root 8890 31632 0 21:20 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
www-data 8891 8887 28 21:20 ? 00:00:00 ping222x
www-data 8893 8891 0 21:20 ? 00:00:00 ping222x
root 8898 31632 0 21:20 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
www-data 8893 1 27 21:20 ? 00:00:03 ping222x
root 8915 31632 0 21:20 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep 8887
www-data 8887 709 0 21:20 ? 00:00:00 [sh] <defunct>
root 8937 31632 0 21:20 pts/1 00:00:00 grep 8887
shopping:~# ps -ef | grep 709
www-data 709 4059 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 8887 709 0 21:20 ? 00:00:00 [sh] <defunct>
root 8948 31632 0 21:21 pts/1 00:00:00 grep 709
shopping:~# ps -ef | grep ping
www-data 8893 1 35 21:20 ? 00:00:24 ping222x
root 8959 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# kill -9 8893
shopping:~# ps -ef | grep ping
root 8971 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 8979 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 8990 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 8992 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 8994 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 9002 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 9005 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 9009 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 9011 31632 0 21:21 pts/1 00:00:00 grep ping
shopping:~# ps -ef | grep ping
root 9013 31632 0 21:21 pts/1 00:00:00 grep ping
Also I put strace here again ( I did not put the reply-all in the
second e-mail, so the part was missing in the mailing list.).
shopping:~# strace -p 6455
Process 6455 attached - interrupt to quit
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/etc/protocols", O_RDONLY) = 17
fcntl64(17, F_GETFD) = 0
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17) = 0
munmap(0xa7fa6000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid
argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid
argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
connect(17, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr("
216.31.27.42")}, 16) = -1 EACCES (Permission denied)
close(17) = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/etc/protocols", O_RDONLY) = 17
fcntl64(17, F_GETFD) = 0
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17) = 0
munmap(0xa7fa6000, 4096) = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/etc/protocols", O_RDONLY) = 17
fcntl64(17, F_GETFD) = 0
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17) = 0
munmap(0xa7fa6000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid
argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(17, SNDCTL_TMR_TIMEBASE or TCGETS, 0xafebfc58) = -1 EINVAL (Invalid
argument)
_llseek(17, 0, 0xafebfca0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
connect(17, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr("
216.31.27.42")}, 16) = -1 EACCES (Permission denied)
close(17) = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/etc/protocols", O_RDONLY) = 17
fcntl64(17, F_GETFD) = 0
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
fstat64(17, {st_mode=S_IFREG|0644, st_size=2478, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xa7fa6000
read(17, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2478
close(17) = 0
munmap(0xa7fa6000, 4096) = 0
open("/var/lib/misc/protocols.db", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/var/lib/misc/protocols.db", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/etc/protocols", O_RDONLY) = 17
On Dec 30, 2007 8:25 PM, Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>
> you wrote:
> > www-data 16848 1 14 14:01 ? 00:06:07 ping22
>
> Looks like it is started from Apache, most likely a CGI. Have a look at
> CWD
> of that process or look into the access log.
>
> Gruss
> Bernd
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
>
--
Best Regards
Mike
