All geek questions in one place

What does this perl malware do with a change of "$ 0"?

We had an invasion of our server over the weekend, and I'm trying to track the traces of an attacker. They seem to have run the perl script, forcing the www-data process called init to work at 100%. Unfortunately, I have no perl experience, so I have no idea what this does:

  6 my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init"); # ... 24 use IO::Socket; 25 use Socket; 26 use IO::Select; 27 chdir("/tmp"); 28 $servidor="$ARGV[0]" if $ARGV[0]; 29 $0="$processo"."\0"x16;; 30 my $pid=fork; 31 exit if $pid;

It seems to me that the instruction on line 29 is designed to somehow hide the process. What is he doing exactly?

+6
source share
2 answers

From perldoc perlvar :

On some (but not all) operating systems assigned to $0 , the scope of the argument that the ps program sees is changed. On some platforms, you may need to use the special options ps or another ps to see the changes. Changing $0 more useful as a way to indicate the current state of a program than to hide the program in which you are working.

So your statement is true. He is trying to disguise how it is displayed in ps .

+11
source

This line seems intentionally confusing:

 my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");

This is equivalent to:

 my $processo = "/sbin/init";
+3
source

Source: https://habr.com/ru/post/957836/

More articles:


All Articles