On Jan 1, 2008 7:10 PM, Mike Wang <[EMAIL PROTECTED]> wrote: > Hi Jan > thanks a lot. Happy new year to all!
Happy new year to all as well! > I checked cron/at job, nothing related to ping22. > > And I checked my previous kill -9 ( see the previous post), it was > generated like the following: > > > shopping:~# ps -ef | grep ping > www-data 6455 1 29 20:53 ? 00:07:53 ping222x > shopping:~# kill -9 6455 > > after killing this 6455, there immediately has two ping222x, > > shopping:~# ps -ef | grep ping > www-data 8891 8887 28 21:20 ? 00:00:00 ping222x > www-data 8893 8891 0 21:20 ? 00:00:00 ping222x > > trace back the ppid of 8887, it is apache process 709: > pid ppid > >www-data 709 4059 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start > ( may corrupted or hacked apache process or respawning helper ) > ->www-data 8887 709 0 21:20 ? 00:00:00 [sh] <defunct> > ->www-data 8891 8887 28 21:20 ? 00:00:00 ping222x > > ->www-data 8893 8891 0 21:20 ? 00:00:00 ping222x > ->www-data 8893 1 35 21:20 ? 00:00:24 ping222x > > > so look like the apache2 709 is a helper. finally the ping222x > made itself looks like respawned from 1 (init). > > I killed 709, since then it did not came back. keep finger > crossed.:) Did you check to see whether /usr/sbin/apache2 was modified? Or was it only the running process that had somehow been stack-overflow'd? IMHO, I'd declare this box as "compromised" and redo the whole thing. Copy all data to a new box and install tripwire (or something of that sort), plus follow the Debian security manual to the last bit, before putting the box online again. A few links: http://www.debian.org/doc/manuals/securing-debian-howto http://wiki.debian.org/SELinux/Setup http://wiki.debian.org/Hardening|Hardening I know that you already had SELinux enabled (after the fact?). So, you might already have enough information to build a better box. -- ----)(----- Luis Mondesi Maestro Debiano ----- START ENCRYPTED BLOCK (Triple-ROT13) ------ Gur Hohagh [Yvahk] qvfgevohgvba oevatf gur fcvevg bs Hohagh gb gur fbsgjner jbeyq. ----- END ENCRYPTED BLOCK (Triple-ROT13) ------ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
