[plug] Untraceable Process. Sys-Op Challenge

Andrew Furey andrew.furey at gmail.com
Tue Feb 8 15:07:36 WST 2005 

On Tue, 08 Feb 2005 00:05:19 +0800, Timothy White <weirdo at tigris.org> wrote:
[snip]
> $ ps aux |grep luser
> luser     5048  0.5  3.4  3176 2092 pts/4    Ss+  23:32   0:00 -bash
> luser     5078  0.4  5.0  4664 3132 pts/4    S    23:32   0:00 perl
> server.pl
> tim       5162  0.0  0.7  1496  448 pts/2    S+   23:34   0:00 grep luser
> --- You can see that the process you want is a perl script called server.pl
[snip]
> # vdir /proc/5078/
> total 0
> -r--r--r--    1 luser    luser           0 Feb  7 23:39 cmdline
> lrwxrwxrwx    1 luser    luser           0 Feb  7 23:39 cwd -> /tmp
> -r--------    1 luser    luser           0 Feb  7 23:39 environ
> lrwxrwxrwx    1 luser    luser           0 Feb  7 23:39 exe -> /usr/bin/perl
> dr-x------    2 luser    luser           0 Feb  7 23:39 fd
> -r--r--r--    1 luser    luser           0 Feb  7 23:39 maps
> -rw-------    1 luser    luser           0 Feb  7 23:39 mem
> lrwxrwxrwx    1 luser    luser           0 Feb  7 23:39 root -> /
> -r--r--r--    1 luser    luser           0 Feb  7 23:39 stat
> -r--r--r--    1 luser    luser           0 Feb  7 23:39 statm
> -r--r--r--    1 luser    luser           0 Feb  7 23:39 status
> --- Shows that the file should be in /tmp. It's not.

My guess (not sure how plausible) is something like this:

http://sysd.org/proj/psf.c

So that the file is actually there (or somewhere the user can write
to), but its process entry has been modified to give it a different
name. I thought I saw a while back that one of the security-scanning
tools (nmap or john or the like) had this as an option, but I can't
seem to find it now.

I was about to ask whether this is doable with a child perl script
without the /usr/bin/perl binary supporting it, but then I realised
that it doesn't actually need to be a perl script at all. If this is
the way he's doing it, you can't trust anything in the /proc output -
odds are it's a compiled C program somewhere in his home directory.

[quote attrib="Wash"] Wacky fun... [/quote]

Andrew

-- 
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
                          -- Bill Garrett

More information about the plug mailing list