From owner-freebsd-questions@FreeBSD.ORG Fri Oct 19 10:41:16 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C1BF16A417 for ; Fri, 19 Oct 2007 10:41:16 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from astro.systems.pipex.net (astro.systems.pipex.net [62.241.163.6]) by mx1.freebsd.org (Postfix) with ESMTP id F0B8B13C457 for ; Fri, 19 Oct 2007 10:41:15 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from [192.168.23.2] (62-31-10-181.cable.ubr05.edin.blueyonder.co.uk [62.31.10.181]) by astro.systems.pipex.net (Postfix) with ESMTP id 64CA6E00043F; Fri, 19 Oct 2007 11:41:13 +0100 (BST) Message-ID: <471889C9.8030709@dial.pipex.com> Date: Fri, 19 Oct 2007 11:41:13 +0100 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.13) Gecko/20061205 X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions Questions References: <005801c8107c$8b7b93a0$0202fea9@jarasoft.net> <20071017151607.GB51123@gizmo.acns.msu.edu> <002101c810f9$10379b80$0202fea9@jarasoft.net> <2850867d4a18dfbe5eb8e9586c114af0@gmail.com> <20071018174706.GA28392@demeter.hydra> In-Reply-To: <20071018174706.GA28392@demeter.hydra> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Strange perl script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 10:41:16 -0000 Chad Perrin wrote: > then updatedb and locate sploger so you're using As was pointed out earlier in the thread, you can easily delete a file after running it, so whatever was running may not exist on the disk any more. Also, it is completely trivial to change the name shown by ps simply by changing the C equivalent of ARGV[0} which in perl is $0. Run the following and ps shows "rubbish (perl)" and not "foo.prl (perl)" foo.prl ------- #!/usr/bin/env perl $0="rubbish"; sleep 120; $ chmod +x foo.prl $ ./foo.prl & $ ps 7274 p1 S 0:00.00 rubbish (perl) bar.prl ------- #!/usr/bin/env perl sleep 120; $ perl bar.prl & $ ps 7575 p1 S 0:00.00 perl ./bar.prl If sploger really was malware, then it was probably picking some name at random to show in ps. The difference between the ps outputs when changing $0 hints at that, but I haven't done exhaustive tests. --Alex