Login/Register
What does this perl malware do with changing "$0"?
Asked Answered
Solved perlcracking
P

2

6

We had an intrusion into our server over the weekend and I'm trying to trace the tracks of the intruder. It seems they ran a perl script, causing a www-data process called init to run at 100%. Unfortunately I don't have perl expertise, so I have no clue what this is doing:

 6 my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");
# ...
24 use IO::Socket;
25 use Socket;
26 use IO::Select;
27 chdir("/tmp");
28 $servidor="$ARGV[0]" if $ARGV[0];
29 $0="$processo"."\0"x16;;
30 my $pid=fork;
31 exit if $pid;

It seems to me the instruction in line 29 is intended to hide the process somehow. What does it do exactly?

Pyrone answered 11/11, 2013 at 15:3 Comment(0)
P
11

From perldoc perlvar:

On some (but not all) operating systems assigning to $0 modifies the argument area that the ps program sees. On some platforms you may have to use special ps options or a different ps to see the changes. Modifying the $0 is more useful as a way of indicating the current program state than it is for hiding the program you're running.

So yes, your assertion is correct. It's looking to mask how it shows up in ps.

Purloin answered 11/11, 2013 at 15:9 Comment(4)
So, since I'm seeing a very suspicious process with the name init [3] would it be possible that this is it? I'm not sure about the $processo variable and how it influences $0.Pyrone
If you see any processes named init that are not a) process ID #1 and/or b) owned by root... then they are not the real "init" process. "init" is always process ID 1 and owned by root.Inviting
@TimPeoples: The thing is, I'm seeing both an /sbin/init process and an init [3] process, both run by www-data. Both look suspicious to me.Pyrone
I'd assume those are bogus. Again, "init" is always process ID 1 and is always owned by "root". ALWAYS. I recommend you kill those other ones.Inviting
D
3

This line appears to be intentionally obfuscated:

my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");

It is equivalent to:

my $processo = "/sbin/init";
Diacaustic answered 11/11, 2013 at 16:29 Comment(5)
does it make any difference with multiple "\0" termination?Tephra
So, is this the same as the C comma-operator?Pyrone
@mpapec: I suspect the null-termination is meant to hide command line arguments from ps et al.Pyrone
@Pyrone it may be, although on my debian box it doesn't perl -e '$0="processo"."\0"x16; print qx(ps auxw|grep $$)'Tephra
Note: the reason this assignment works as described above is because, in Perl, the value of a list on scalar context is the last element of the list. (also note that a "list" is not an "array"; the value of an "array" in scalar context is the number of elements in the array). In the above, there's a literal list and thus, all the other elements are discarded when assigning to $processo.Inviting

© 2022 - 2025 — McMap. All rights reserved.