6

We had an intrusion into our server over the weekend and I'm trying to trace the tracks of the intruder. It seems they ran a perl script, causing a www-data process called init to run at 100%. Unfortunately I don't have perl expertise, so I have no clue what this is doing:

 6 my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");
# ...
24 use IO::Socket;
25 use Socket;
26 use IO::Select;
27 chdir("/tmp");
28 $servidor="$ARGV[0]" if $ARGV[0];
29 $0="$processo"."\0"x16;;
30 my $pid=fork;
31 exit if $pid;

It seems to me the instruction in line 29 is intended to hide the process somehow. What does it do exactly?

bitmask
  • 32,434
  • 14
  • 99
  • 159

2 Answers2

11

From perldoc perlvar:

On some (but not all) operating systems assigning to $0 modifies the argument area that the ps program sees. On some platforms you may have to use special ps options or a different ps to see the changes. Modifying the $0 is more useful as a way of indicating the current program state than it is for hiding the program you're running.

So yes, your assertion is correct. It's looking to mask how it shows up in ps.

Zaid
  • 36,680
  • 16
  • 86
  • 155
FatalError
  • 52,695
  • 14
  • 99
  • 116
  • So, since I'm seeing a very suspicious process with the name `init [3]` would it be possible that this is it? I'm not sure about the `$processo` variable and how it influences `$0`. – bitmask Nov 11 '13 at 15:15
  • 1
    If you see any processes named init that are not a) process ID #1 and/or b) owned by root... then they are not the real "init" process. "init" is always process ID 1 and owned by root. – Tim Peoples Nov 11 '13 at 15:19
  • @TimPeoples: The thing is, I'm seeing both an `/sbin/init` process and an `init [3]` process, both run by `www-data`. Both look suspicious to me. – bitmask Nov 11 '13 at 15:23
  • I'd assume those are bogus. Again, "init" is always process ID 1 and is always owned by "root". ALWAYS. I recommend you kill those other ones. – Tim Peoples Nov 11 '13 at 16:59
3

This line appears to be intentionally obfuscated:

my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");

It is equivalent to:

my $processo = "/sbin/init";
ysth
  • 96,171
  • 6
  • 121
  • 214
  • does it make any difference with multiple `"\0"` termination? – mpapec Nov 11 '13 at 16:35
  • So, is this the same as the C comma-operator? – bitmask Nov 11 '13 at 16:43
  • @mpapec: I suspect the null-termination is meant to hide command line arguments from `ps` et al. – bitmask Nov 11 '13 at 16:43
  • @bitmask it may be, although on my debian box it doesn't `perl -e '$0="processo"."\0"x16; print qx(ps auxw|grep $$)'` – mpapec Nov 11 '13 at 16:48
  • Note: the reason this assignment works as described above is because, in Perl, the value of a list on scalar context is the last element of the list. (also note that a "list" is not an "array"; the value of an "array" in scalar context is the number of elements in the array). In the above, there's a literal list and thus, all the other elements are discarded when assigning to `$processo`. – Tim Peoples Nov 11 '13 at 17:02