Re: ping22: can not kill this process
On Sun, Dec 30, 2007 at 02:59:33PM -0500, Mike Wang wrote: Hi Recently one of my web server was invaded by something called ping22. it obviously exploited some perl cgi or php holes on this apache2 server. But I do not how it is get exploited. (1) tried to kill -9 it, it is respawn again automatically. # ps -ef | grep ping22 www-data 16848 1 14 14:01 ?00:06:07 ping22 root 18881 30331 0 14:43 pts/000:00:00 grep ping22 how can I kill it? (2) And from /proc/16848, the cmdline shows ping22. and lrwxrwxrwx 1 www-data www-data 0 2007-12-30 14:50 exe - /usr/bin/perl tried to find / -name *ping22*, can not find the file. How is ping22 get started? Either it is a perl script, or /usr/bin/perl has been corrupted. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Rbl
On Fri, Mar 31, 2006 at 11:25:45AM -0300, Thiago Ribeiro wrote: Hi guys, A friend has a problem with rbl. The address is rbl.kropka.net. The company's ip address was added in this list some time ago, before he started working there. Now he fixed the problems with the mail server and would like to remove his company's address from the blacklist. So the rbl site hasnt email contact to remove the ip from the blacklist. Anyone can help me? whois kropka.net Administrative Contact: Private, Registration [EMAIL PROTECTED] Domains by Proxy, Inc. DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States (480) 624-2599 Technical Contact: Private, Registration [EMAIL PROTECTED] Domains by Proxy, Inc. DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States (480) 624-2599 You might also try whois on the IP address of rbl.kropka.net. If this doesn't help, your friend might want to ask for a new IP address. -- Chairman of the Bored. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Shadow passwords
On Thu, Jul 07, 2005 at 09:49:17AM +0200, Johann Spies wrote: I am busy building two new proxy servers. I installed the first from debian-install CD with the normal installer. As an exercise in disaster recovery I decided to install the second from a CD I have build with dfsbuild on the first one. On the second machine Tiger reports: user is not configured to use shadow passwords ... How do I change that after an installation that did not ask beforehand about shadow passwords? I did a 'sudo shadowconfig on' but suspect that will only have an effect on new passwords - or not? man pwconv -- Tonight you will pay the wages of sin; Don't forget to leave a tip. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
On Tue, Jan 18, 2005 at 07:14:29PM -0800, Moe wrote: After all these months/years of warnings to NEVER open email attachments, why are you sendinf attachments instead of in-line? Martin Schulze wrote: Part 1 Type: C Encoding: 8bit What mail client are you using, and why does it see an attachment where mutt does not? -- When you say that you agree to a thing in principle, you mean that you have not the slightest intention of carrying it out in practice. -- Otto Von Bismarck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what process is using a port
On Mon, May 03, 2004 at 07:14:31PM +0200, LeVA wrote: Hi! Is there a way to figure out what program is using a port. For example I want to know which process is using port 80. How can I do this? netstat -np Run it as root, or you will only see the PIDs for your own processes. -- Giraffe: a ruminant with a view. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what process is using a port
On Mon, May 03, 2004 at 07:14:31PM +0200, LeVA wrote: Hi! Is there a way to figure out what program is using a port. For example I want to know which process is using port 80. How can I do this? netstat -np Run it as root, or you will only see the PIDs for your own processes. -- Giraffe: a ruminant with a view.
Re: Strange 'su' error messages
On Tue, Jan 13, 2004 at 10:29:10AM +0100, Christian Schuerer wrote: Hello! Since updating my debian server yesterday I get the following error messages every hour (generated by logcheck): Jan 13 00:05:01 asterix su[2102]: + ??? root:bin Today there is even an additional line: Jan 13 06:05:01 asterix su[5684]: + ??? root:bin Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody Does anyone have the same error messages/behavior? I'm concerned, but hope that it's just a wrong configuration after the update! http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=226838 signature.asc Description: Digital signature
Re: Strange 'su' error messages
On Tue, Jan 13, 2004 at 10:29:10AM +0100, Christian Schuerer wrote: Hello! Since updating my debian server yesterday I get the following error messages every hour (generated by logcheck): Jan 13 00:05:01 asterix su[2102]: + ??? root:bin Today there is even an additional line: Jan 13 06:05:01 asterix su[5684]: + ??? root:bin Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody Does anyone have the same error messages/behavior? I'm concerned, but hope that it's just a wrong configuration after the update! http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=226838 signature.asc Description: Digital signature
Re: suspicious files in /tmp
On Mon, Jan 05, 2004 at 02:44:05PM +0100, Marcel Weber wrote: Hi It isn't exactly a debian question, but nevertheless I think this is the appropriate place to post this. I ran chkrootkit 0.43 on my LFS box. This system is a mail and web server. Chkrootkit complained about two files: /bin/netstat and /usr/bin/env. What exactly did chkrootkit say about those files? Were they writable by non-root users, did they have setuid permission, or what? -- Absurd Procrustean Egghead Cornstarch Variant Bill Marcum -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
On Mon, Jan 05, 2004 at 02:44:05PM +0100, Marcel Weber wrote: Hi It isn't exactly a debian question, but nevertheless I think this is the appropriate place to post this. I ran chkrootkit 0.43 on my LFS box. This system is a mail and web server. Chkrootkit complained about two files: /bin/netstat and /usr/bin/env. What exactly did chkrootkit say about those files? Were they writable by non-root users, did they have setuid permission, or what? -- Absurd Procrustean Egghead Cornstarch Variant Bill Marcum
