Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This technique is really effective when the attacker does a little bit of homework on the system: if it’s a web server, a lot of people (even security analysts) will miss that the 147 httpd process are 146 /usr/sbin/httpd and one /usr/local/sbin/httpd — or they’ll assume that was where someone installed a custom build.


You could set argv[0] too:

  $ perl -e '$0="/usr/sbin/httpd";fork or sleep 1000';ps


Good point - I was thinking about persistence but I saw the argv trick in the wild in the early 2000s when someone hit a PHP script in one of our undergrad’s home directory and dropped something fun onto the system.

I think I used lsof back then but it’s been a while.


  $ readlink /proc/`pgrep /usr/sbin/httpd`/exe
  /usr/bin/perl


For me, it looks like:

17630 27 S 0:00.00 /usr/sbin/httpd (perl)

which stands out like a sore thumb, IMHO.


That's what I see on FreeBSD.

ps, top, and htop all show /usr/sbin/httpd on Ubuntu.


*BSD, I suppose, but the idea is that the binary itself would be named httpd. Like "cp /usr/bin/perl ./httpd" first.


What does it do?


The name of the program as it was invoked is stored in `argv[0]`. The perl script overwrites the value before continuing on.


Hides the startup command line of the program by masking it with another value. In this example you wouldn't see that the perl program was started, you'll see this httpd thing.

It's not completely reliable but most people wouldn't look that deep anyway.


Right. It wouldn't be all that difficult to look at the process list and use heuristics to select a relevant process name.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: