Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does this perl malware do with changing "$0"?

Tags:

perl

cracking

We had an intrusion into our server over the weekend and I'm trying to trace the tracks of the intruder. It seems they ran a perl script, causing a www-data process called init to run at 100%. Unfortunately I don't have perl expertise, so I have no clue what this is doing:

 6 my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");
# ...
24 use IO::Socket;
25 use Socket;
26 use IO::Select;
27 chdir("/tmp");
28 $servidor="$ARGV[0]" if $ARGV[0];
29 $0="$processo"."\0"x16;;
30 my $pid=fork;
31 exit if $pid;

It seems to me the instruction in line 29 is intended to hide the process somehow. What does it do exactly?

like image 214
bitmask Avatar asked Nov 11 '13 15:11

bitmask


1 Answers

From perldoc perlvar:

On some (but not all) operating systems assigning to $0 modifies the argument area that the ps program sees. On some platforms you may have to use special ps options or a different ps to see the changes. Modifying the $0 is more useful as a way of indicating the current program state than it is for hiding the program you're running.

So yes, your assertion is correct. It's looking to mask how it shows up in ps.

like image 111
FatalError Avatar answered Sep 22 '22 11:09

FatalError