Date: Sat, 31 Oct 2009 09:13:42 -0700 From: patrick <gibblertron@gmail.com> To: FreeBSD Questions <questions@freebsd.org> Subject: Re: Get the cwd of a process? Message-ID: <b043a4850910310913p62f19b27w92620347c339a9e6@mail.gmail.com> In-Reply-To: <20091030034812.GU29215@dan.emsphone.com> References: <b043a4850910291422u2d37344tf46b5d46691bb48a@mail.gmail.com> <20091030034812.GU29215@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the info! It works in my test case, but this spammer popped
again, and unfortunately, I still couldn't reveal the source:
The ps listing shows:
www 29488 5.7 0.2 14144 5360 ?? Ss 7:47AM 37:24.83
./jug.pl (perl5.8.8)
And the lsof -p 29488 -a -d cwd only shows:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
perl5.8.8 29488 www cwd VDIR 0,83 512 2 /
I don't understand how the cwd could be /, as there was no jug.pl
there, and the www user cannot write to the root.
Could there be another trick being employed? I'm actually a little
puzzled by the ps listing. It shows the interpreter at the end in
parentheses, but if I invoke a similarly-named script from the shell,
it lists it as "/usr/bin/perl ./jug.pl".
I also cannot find any traces of these perl scripts anywhere on the
machine, though my tests show that you can safely delete the script
after it is loaded by the interpreter.
*trying something...*
Okay, so I've written a little script to reproduce what I'm seeing:
#!/usr/bin/perl
$pid =3D fork();
if ($pid)
{
unlink("test.pl");
exit(0);
}
else
{
chdir "/";
print "Hello world\n";
sleep 300;
}
This must be what is happening. When I do an lsof, I get:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
perl5.8.8 95492 patrick cwd VDIR 0,83 512 2 /
And there's no trace left of my script because I unlink()ed it.
This seems like it's going to be awfully hard to track down. I've gone
through every access_log to see if I can see anything suspicious. So
far, nothing yet, but I guess I'll keep plugging away at it.
*sigh*
Patrick
On Thu, Oct 29, 2009 at 8:48 PM, Dan Nelson <dnelson@allantgroup.com> wrote=
:
> In the last episode (Oct 29), patrick said:
>> Is there any way to get the cwd of a process? We had the situation
>> recently where a perl script was called from an infiltrated Wordpress
>> installation, but we weren't able to determine which of the hundreds of
>> Wordpress blogs was the source. =A0The ps listing showed:
>>
>> www =A0 =A0 =A0 =A0 =A0 =A0 63968 =A02.4 =A00.2 26092 =A05008 =A0?? =A0R=
s =A0 =A05:36PM 93:10.67 ./mrf.pl (perl5.8.8)
>>
>> The procfs entry was no help because it does not seem to provide a cwd.
>> The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl".
>>
>> We had to kill the process, and who ever was responsible did a good job =
of
>> hiding their tracks. =A0But should this happen again (and we expect it
>> will), we'd like to be able to find the source.
>
> /usr/bin/fstat will tell you the inode of the cwd, and you can use "find
> =A0-inum" to locate it. =A0You can also install lsof from ports, which wi=
ll dig
> into the kernel and try and fetch the name itself:
>
> (dan@dan.21) /home/dan> fstat -p $$ | grep wd
> dan =A0 =A0 =A0zsh =A0 =A0 =A0 =A077611 =A0 wd / =A0 =A0 =A0 =A0474264 dr=
wxr-xr-x =A0 =A0 533 =A0r
> (dan@dan.21) /home/dan> lsof -p $$ -a -d cwd
> COMMAND =A0 PID USER =A0 FD =A0 TYPE =A0 =A0 =A0 DEVICE SIZE/OFF =A0 NODE=
NAME
> zsh =A0 =A0 77611 =A0dan =A0cwd =A0 VDIR 60,504234031 =A0 =A0 =A0533 4742=
64 /usr/home/dan
>
>
> --
> =A0 =A0 =A0 =A0Dan Nelson
> =A0 =A0 =A0 =A0dnelson@allantgroup.com
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b043a4850910310913p62f19b27w92620347c339a9e6>