Pregunta
We had an intrusion into our server over the weekend and I'm trying to trace the tracks of the intruder. It seems they ran a perl script, causing a www-data process called init to run at 100%. Unfortunately I don't have perl expertise, so I have no clue what this is doing:
https://stackoverflow.com/questions/19909424
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian 6 my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");
# ...
24 use IO::Socket;
25 use Socket;
26 use IO::Select;
27 chdir("/tmp");
28 $servidor="$ARGV[0]" if $ARGV[0];
29 $0="$processo"."\0"x16;;
30 my $pid=fork;
31 exit if $pid;
It seems to me the instruction in line 29 is intended to hide the process somehow. What does it do exactly?
Solución
From perldoc perlvar:
On some (but not all) operating systems assigning to
$0modifies the argument area that thepsprogram sees. On some platforms you may have to use specialpsoptions or a differentpsto see the changes. Modifying the$0is more useful as a way of indicating the current program state than it is for hiding the program you're running.
So yes, your assertion is correct. It's looking to mask how it shows up in ps.
Otros consejos
This line appears to be intentionally obfuscated:
my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");
It is equivalent to:
my $processo = "/sbin/init";
