Strange perl script

Alex Zbyslaw xfb52 at dial.pipex.com
Fri Oct 19 03:41:16 PDT 2007


Chad Perrin wrote:

> then updatedb and locate sploger so you're using

As was pointed out earlier in the thread, you can easily delete a file 
after running it, so whatever was running may not exist on the disk any 
more.

Also, it is completely trivial to change the name shown by ps simply by 
changing the C equivalent of ARGV[0} which in perl is $0.

Run the following and ps shows "rubbish (perl)" and not "foo.prl (perl)"

foo.prl
-------
#!/usr/bin/env perl
$0="rubbish";
sleep 120;

$ chmod +x foo.prl
$ ./foo.prl &
$ ps
 7274  p1  S      0:00.00 rubbish (perl)

bar.prl
-------
#!/usr/bin/env perl
sleep 120;

$ perl bar.prl &
$ ps
 7575  p1  S      0:00.00 perl ./bar.prl


If sploger really was malware, then it was probably picking some name at 
random to show in ps.  The difference between the ps outputs when 
changing $0 hints at that, but I haven't done exhaustive tests.

--Alex




More information about the freebsd-questions mailing list