Hi
Recently one of my web server was invaded by something called ping22.
it obviously exploited some perl cgi or php holes on this apache2 server.
But I do not how it is get exploited.
(1) tried to kill -9 it, it is respawn again automatically.
# ps -ef | grep ping22
www-data 16848 1 14 14:01 ? 00:06:07 ping22
root 18881 30331 0 14:43 pts/0 00:00:00 grep ping22
how can I kill it?
(2)
And from /proc/16848, the cmdline shows ping22. and
lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl
tried to find / -name "*ping22*", can not find the file. How is ping22 get
started?
(3) the kern.log showed, this ping22 seems has something to do irc.
Dec 30 14:55:50 kernel: audit(1199044550.571:589724): avc: denied {
name_connect } for pid=16848 comm="perl" dest=6667
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket
Any one has a idea of this ping22?
thanks .
Mike
