[BLUG] spoofed process names?

Brian Wheeler blug_at_mailman.cs.indiana.edu
Tue, 10 Jul 2007 08:34:51 -0400 

On Tue, 2007-07-10 at 11:55 +0000, ben lipkowitz wrote:
> recently i was poking around on a shared mainframe and saw that a user was 
> running a rather interesting process:
> 
> nullogic q8 - Mon06PM 11:57 Hey, I dont look at you...
> 
> where normally it would look something like this:
> fenn     rc - Mon07PM     0 (pine)
> 
> any ideas on how this might have been accomplished?
> hint: sometimes i can get "w" to say "... (zsh)" at the end.
> this is a NetBSD system btw
> 
> curiouser and curouser
> 

Nah, its "normal".  Consider this perl program:

#!/usr/bin/perl
$0="hello there!";
sleep 1000;

run it and then do a ps -ef:

bdwheele 31578 31505  0 08:31 pts/6    00:00:00 hello there!

>From the perlvar manpage, there's a description of what's going on:

       $PROGRAM_NAME
       $0      Contains the name of the program being executed.

               On some (read: not all) operating systems assigning to $0 modi-
               fies the argument area that the "ps" program sees.  On some
               platforms you may have to use special "ps" options or a differ-
               ent "ps" to see the changes.  Modifying the $0 is more useful
               as a way of indicating the current program state than it is for
               hiding the program you’re running.  (Mnemonic: same as sh and
               ksh.)

               Note that there are platform specific limitations on the maxi-
               mum length of $0.  In the most extreme case it may be limited
               to the space occupied by the original $0.

               In some platforms there may be arbitrary amount of padding, for
               example space characters, after the modified name as shown by
               "ps".  In some platforms this padding may extend all the way to
               the original length of the argument area, no matter what you do
               (this is the case for example with Linux 2.2).

               Note for BSD users: setting $0 does not completely remove
               "perl" from the ps(1) output.  For example, setting $0 to "foo-
               bar" may result in "perl: foobar (perl)" (whether both the
               "perl: " prefix and the " (perl)" suffix are shown depends on
               your exact BSD variant and version).  This is an operating sys-
               tem feature, Perl cannot help it.

               In multithreaded scripts Perl coordinates the threads so that
               any thread may modify its copy of the $0 and the change becomes
               visible to ps(1) (assuming the operating system plays along).
               Note that the view of $0 the other threads have will not change
               since they have their own copies of it.




Brian



>        /\-/\
>      >( o.o )<
>   _____>   <________fenn_____
> _______________________________________________
> BLUG mailing list
> BLUG_at_linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug