Date: Sat, 31 Oct 2009 22:34:06 -0700 From: patrick <gibblertron@gmail.com> To: FreeBSD Questions <questions@freebsd.org> Subject: Re: Get the cwd of a process? Message-ID: <b043a4850910312234v52f7526ej42e987a718975953@mail.gmail.com> In-Reply-To: <b043a4850910310913p62f19b27w92620347c339a9e6@mail.gmail.com> References: <b043a4850910291422u2d37344tf46b5d46691bb48a@mail.gmail.com> <20091030034812.GU29215@dan.emsphone.com> <b043a4850910310913p62f19b27w92620347c339a9e6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I've made some headway... perl supports "sitecustomize.pl" which can
be used to execute code when any perl script is run. It doesn't seem
to be enabled by default, so I had to add the following line to
/usr/ports/lang/perl5.8/Makefile's CONFIGURE_ARGS:
-Dusesitecustomize \
As a temporary measure, my sitecustomize.pl has:
system "echo $$ $ENV{'PWD'} $0 ". (localtime) . " >>/tmp/scripts_used.lst";
(found this in another thread somewhere)
So, hopefully the next time this spammer comes back, I will see the
original working directory, etc. before the process forks itself.
Fingers crossed!
Patrick
On Sat, Oct 31, 2009 at 9:13 AM, patrick <gibblertron@gmail.com> wrote:
> Thanks for the info! It works in my test case, but this spammer popped
> again, and unfortunately, I still couldn't reveal the source:
>
> The ps listing shows:
>
> www =A0 =A0 =A0 =A0 =A0 =A029488 =A05.7 =A00.2 14144 =A05360 =A0?? =A0Ss =
=A0 =A07:47AM =A037:24.83
> ./jug.pl (perl5.8.8)
>
> And the lsof -p 29488 -a -d cwd only shows:
>
> COMMAND =A0 =A0 PID USER =A0 FD =A0 TYPE DEVICE SIZE/OFF NODE NAME
> perl5.8.8 29488 =A0www =A0cwd =A0 VDIR =A0 0,83 =A0 =A0 =A0512 =A0 =A02 /
>
> I don't understand how the cwd could be /, as there was no jug.pl
> there, and the www user cannot write to the root.
>
> Could there be another trick being employed? I'm actually a little
> puzzled by the ps listing. It shows the interpreter at the end in
> parentheses, but if I invoke a similarly-named script from the shell,
> it lists it as "/usr/bin/perl ./jug.pl".
>
> I also cannot find any traces of these perl scripts anywhere on the
> machine, though my tests show that you can safely delete the script
> after it is loaded by the interpreter.
>
> *trying something...*
>
> Okay, so I've written a little script to reproduce what I'm seeing:
>
> #!/usr/bin/perl
>
> $pid =3D fork();
>
> if ($pid)
> {
> =A0 =A0 =A0 unlink("test.pl");
> =A0 =A0 =A0 exit(0);
> }
> else
> {
> =A0 =A0 =A0 chdir "/";
> =A0 =A0 =A0 print "Hello world\n";
> =A0 =A0 =A0 sleep 300;
> }
>
> This must be what is happening. When I do an lsof, I get:
>
> COMMAND =A0 =A0 PID =A0 =A0USER =A0 FD =A0 TYPE DEVICE SIZE/OFF NODE NAME
> perl5.8.8 95492 patrick =A0cwd =A0 VDIR =A0 0,83 =A0 =A0 =A0512 =A0 =A02 =
/
>
> And there's no trace left of my script because I unlink()ed it.
>
> This seems like it's going to be awfully hard to track down. I've gone
> through every access_log to see if I can see anything suspicious. So
> far, nothing yet, but I guess I'll keep plugging away at it.
>
> *sigh*
>
> Patrick
>
>
> On Thu, Oct 29, 2009 at 8:48 PM, Dan Nelson <dnelson@allantgroup.com> wro=
te:
>> In the last episode (Oct 29), patrick said:
>>> Is there any way to get the cwd of a process? We had the situation
>>> recently where a perl script was called from an infiltrated Wordpress
>>> installation, but we weren't able to determine which of the hundreds of
>>> Wordpress blogs was the source. =A0The ps listing showed:
>>>
>>> www =A0 =A0 =A0 =A0 =A0 =A0 63968 =A02.4 =A00.2 26092 =A05008 =A0?? =A0=
Rs =A0 =A05:36PM 93:10.67 ./mrf.pl (perl5.8.8)
>>>
>>> The procfs entry was no help because it does not seem to provide a cwd.
>>> The cmdline entry just showed "/usr/local/bin/perl ./mrf.pl".
>>>
>>> We had to kill the process, and who ever was responsible did a good job=
of
>>> hiding their tracks. =A0But should this happen again (and we expect it
>>> will), we'd like to be able to find the source.
>>
>> /usr/bin/fstat will tell you the inode of the cwd, and you can use "find
>> =A0-inum" to locate it. =A0You can also install lsof from ports, which w=
ill dig
>> into the kernel and try and fetch the name itself:
>>
>> (dan@dan.21) /home/dan> fstat -p $$ | grep wd
>> dan =A0 =A0 =A0zsh =A0 =A0 =A0 =A077611 =A0 wd / =A0 =A0 =A0 =A0474264 d=
rwxr-xr-x =A0 =A0 533 =A0r
>> (dan@dan.21) /home/dan> lsof -p $$ -a -d cwd
>> COMMAND =A0 PID USER =A0 FD =A0 TYPE =A0 =A0 =A0 DEVICE SIZE/OFF =A0 NOD=
E NAME
>> zsh =A0 =A0 77611 =A0dan =A0cwd =A0 VDIR 60,504234031 =A0 =A0 =A0533 474=
264 /usr/home/dan
>>
>>
>> --
>> =A0 =A0 =A0 =A0Dan Nelson
>> =A0 =A0 =A0 =A0dnelson@allantgroup.com
>>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b043a4850910312234v52f7526ej42e987a718975953>