Hacker News new | past | comments | ask | show | jobs | submit login

You could set argv[0] too:

  $ perl -e '$0="/usr/sbin/httpd";fork or sleep 1000';ps



Good point - I was thinking about persistence but I saw the argv trick in the wild in the early 2000s when someone hit a PHP script in one of our undergrad’s home directory and dropped something fun onto the system.

I think I used lsof back then but it’s been a while.


  $ readlink /proc/`pgrep /usr/sbin/httpd`/exe
  /usr/bin/perl


For me, it looks like:

17630 27 S 0:00.00 /usr/sbin/httpd (perl)

which stands out like a sore thumb, IMHO.


That's what I see on FreeBSD.

ps, top, and htop all show /usr/sbin/httpd on Ubuntu.


*BSD, I suppose, but the idea is that the binary itself would be named httpd. Like "cp /usr/bin/perl ./httpd" first.


What does it do?


The name of the program as it was invoked is stored in `argv[0]`. The perl script overwrites the value before continuing on.


Hides the startup command line of the program by masking it with another value. In this example you wouldn't see that the perl program was started, you'll see this httpd thing.

It's not completely reliable but most people wouldn't look that deep anyway.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: