From owner-freebsd-questions@FreeBSD.ORG Sat Oct 31 16:13:43 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DDB1106568D for ; Sat, 31 Oct 2009 16:13:43 +0000 (UTC) (envelope-from gibblertron@gmail.com) Received: from mail-pz0-f202.google.com (mail-pz0-f202.google.com [209.85.222.202]) by mx1.freebsd.org (Postfix) with ESMTP id 03B518FC0A for ; Sat, 31 Oct 2009 16:13:42 +0000 (UTC) Received: by pzk40 with SMTP id 40so2429131pzk.7 for ; Sat, 31 Oct 2009 09:13:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=qDQDUoc82LiKLywFyfcbFdkUAo2K9ovL3ev/Xpd/VOE=; b=fa5QNU4XchFpoyOsLWKQ6WoV3nGaUBfKl90UC6x2N5xSQWecRnP3dZiTydAP6xf+DH ZhTK1Ju2yZ7XBjqWI8iPtCstTlLVdJFBz+enIJHYHLLHVfL5+GvnIC2gGXzzGzerWkF8 y7dxnMS6ewPswUKBWzmbm2g2OaCpDXkO6z4E4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=Ro0Pq2e6Px9FYQ27avRWZevW9u7L8j5dGzEHqtLY9NMR1rLW6OcO/Gf/bdxEaUapI8 LfSN+3R3MjSpomAqrVT+VMYntw5LoGouYjPSrKxXdpUZr2HJ80Ap1V0sQRKc6Cj4CN5T HiYVZlC7o/XgGf29SQuOcEtnrJS79A5MQ0n10= MIME-Version: 1.0 Received: by 10.142.195.7 with SMTP id s7mr270451wff.130.1257005622474; Sat, 31 Oct 2009 09:13:42 -0700 (PDT) In-Reply-To: <20091030034812.GU29215@dan.emsphone.com> References: <20091030034812.GU29215@dan.emsphone.com> Date: Sat, 31 Oct 2009 09:13:42 -0700 Message-ID: From: patrick To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Get the cwd of a process? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2009 16:13:43 -0000 Thanks for the info! It works in my test case, but this spammer popped again, and unfortunately, I still couldn't reveal the source: The ps listing shows: www 29488 5.7 0.2 14144 5360 ?? Ss 7:47AM 37:24.83 ./jug.pl (perl5.8.8) And the lsof -p 29488 -a -d cwd only shows: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME perl5.8.8 29488 www cwd VDIR 0,83 512 2 / I don't understand how the cwd could be /, as there was no jug.pl there, and the www user cannot write to the root. Could there be another trick being employed? I'm actually a little puzzled by the ps listing. It shows the interpreter at the end in parentheses, but if I invoke a similarly-named script from the shell, it lists it as "/usr/bin/perl ./jug.pl". I also cannot find any traces of these perl scripts anywhere on the machine, though my tests show that you can safely delete the script after it is loaded by the interpreter. *trying something...* Okay, so I've written a little script to reproduce what I'm seeing: #!/usr/bin/perl $pid =3D fork(); if ($pid) { unlink("test.pl"); exit(0); } else { chdir "/"; print "Hello world\n"; sleep 300; } This must be what is happening. When I do an lsof, I get: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME perl5.8.8 95492 patrick cwd VDIR 0,83 512 2 / And there's no trace left of my script because I unlink()ed it. This seems like it's going to be awfully hard to track down. I've gone through every access_log to see if I can see anything suspicious. So far, nothing yet, but I guess I'll keep plugging away at it. *sigh* Patrick On Thu, Oct 29, 2009 at 8:48 PM, Dan Nelson wrote= : > In the last episode (Oct 29), patrick said: >> Is there any way to get the cwd of a process? We had the situation >> recently where a perl script was called from an infiltrated Wordpress >> installation, but we weren't able to determine which of the hundreds of >> Wordpress blogs was the source. =A0The ps listing showed: >> >> www =A0 =A0 =A0 =A0 =A0 =A0 63968 =A02.4 =A00.2 26092 =A05008 =A0?? =A0R= s =A0 =A05:36PM 93:10.67 ./mrf.pl (perl5.8.8) >> >> The procfs entry was no help because it does not seem to provide a cwd. >> The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl". >> >> We had to kill the process, and who ever was responsible did a good job = of >> hiding their tracks. =A0But should this happen again (and we expect it >> will), we'd like to be able to find the source. > > /usr/bin/fstat will tell you the inode of the cwd, and you can use "find > =A0-inum" to locate it. =A0You can also install lsof from ports, which wi= ll dig > into the kernel and try and fetch the name itself: > > (dan@dan.21) /home/dan> fstat -p $$ | grep wd > dan =A0 =A0 =A0zsh =A0 =A0 =A0 =A077611 =A0 wd / =A0 =A0 =A0 =A0474264 dr= wxr-xr-x =A0 =A0 533 =A0r > (dan@dan.21) /home/dan> lsof -p $$ -a -d cwd > COMMAND =A0 PID USER =A0 FD =A0 TYPE =A0 =A0 =A0 DEVICE SIZE/OFF =A0 NODE= NAME > zsh =A0 =A0 77611 =A0dan =A0cwd =A0 VDIR 60,504234031 =A0 =A0 =A0533 4742= 64 /usr/home/dan > > > -- > =A0 =A0 =A0 =A0Dan Nelson > =A0 =A0 =A0 =A0dnelson@allantgroup.com >