On Sun, Dec 30, 2007 at 02:59:33PM -0500, Mike Wang wrote: > Hi > Recently one of my web server was invaded by something called ping22. > it obviously exploited some perl cgi or php holes on this apache2 server. > But I do not how it is get exploited. > > (1) tried to kill -9 it, it is respawn again automatically. > > # ps -ef | grep ping22 > www-data 16848 1 14 14:01 ? 00:06:07 ping22 > root 18881 30331 0 14:43 pts/0 00:00:00 grep ping22 > > how can I kill it? > > (2) > And from /proc/16848, the cmdline shows ping22. and > lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe -> /usr/bin/perl > > tried to find / -name "*ping22*", can not find the file. How is ping22 get > started? > Either it is a perl script, or /usr/bin/perl has been corrupted.
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
