Strange perl script
xfb52 at dial.pipex.com
Fri Oct 19 03:41:16 PDT 2007
Chad Perrin wrote:
> then updatedb and locate sploger so you're using
As was pointed out earlier in the thread, you can easily delete a file
after running it, so whatever was running may not exist on the disk any
Also, it is completely trivial to change the name shown by ps simply by
changing the C equivalent of ARGV[0} which in perl is $0.
Run the following and ps shows "rubbish (perl)" and not "foo.prl (perl)"
$ chmod +x foo.prl
$ ./foo.prl &
7274 p1 S 0:00.00 rubbish (perl)
$ perl bar.prl &
7575 p1 S 0:00.00 perl ./bar.prl
If sploger really was malware, then it was probably picking some name at
random to show in ps. The difference between the ps outputs when
changing $0 hints at that, but I haven't done exhaustive tests.
More information about the freebsd-questions