Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is my Perl spreading a virus? Or detecting one?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
BitJam
Advocate
Advocate


Joined: 12 Aug 2003
Posts: 2454
Location: Silver City, NM

PostPosted: Sat Nov 09, 2013 1:33 am    Post subject: Is my Perl spreading a virus? Or detecting one? Reply with quote

I've hit a bizarre problem that I don't understand. I was writing yet another Perl filter program to munge up some other code. I noticed that when I ran the Perl program and had the output sent to stdout, characters would fill my command line.

I reduced the Perl program to:
Code:
#!/usr/bin/perl

while (<>) {
    print;
}

and the problem persisted although if I write that same program from scratch, it acts normally. If I copy the program to another file and run it then it acts normally. The problematic program plays the same tricks regardless of what the input file is.

Here is a hexdump -C of the Perl code that is acting up:
Code:
00000000  23 21 2f 75 73 72 2f 62  69 6e 2f 70 65 72 6c 0a  |#!/usr/bin/perl.|
00000010  0a 77 68 69 6c 65 20 28  3c 3e 29 20 7b 0a 20 20  |.while (<>) {.  |
00000020  20 20 70 72 69 6e 74 3b  0a 7d 0a 0a              |  print;.}..|
0000002c

A little more investigation showed that the top of the output file was overwritten with binary. Writing this raw binary to the screen is what was causing a bunch of characters to show up on my command line. The binary about 9K bytes (update: I had previously said 717 bytes) long and starts with hex 7F followed by "ELF" which makes me suspect it is a tiny executable and suspect that a virus is involved.

I've recently had a couple of crashes due to quickly running out of memory. The last time this happened I suspected Spam-Assassin because almost nothing else was running. It is now disabled. My wild guess is that SA was processing malicious email that used an OOM condition to infect Perl.

Edit: If I store the binary in a file and then run the "file" program on it I get:
Code:
 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped


Edit-2: I re-emerged Perl but the problem persisted. It seems to be related to the path and filename of the executable Perl script. Sometimes copying and/or renaming fixes the problem and sometimes it doesn't. Changing the shebang line to:[code[#!/usr/bin/env perl[/code]does not fix the problem. Even running it via Perl directly does not fix the problem:
Code:
perl Tools/renumber-parts.pl
If I rename the program to rnp.pl then the problem goes away.


Below is a hexdump of the start of the binary that gets spit out:
Code:
00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 3e 00 01 00 00 00  9c 0e 40 00 00 00 00 00  |..>.......@.....|
00000020  40 00 00 00 00 00 00 00  68 21 00 00 00 00 00 00  |@.......h!......|
00000030  00 00 00 00 40 00 38 00  0a 00 40 00 1b 00 1a 00  |....@.8...@.....|
00000040  06 00 00 00 05 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000050  40 00 40 00 00 00 00 00  40 00 40 00 00 00 00 00  |@.@.....@.@.....|
00000060  30 02 00 00 00 00 00 00  30 02 00 00 00 00 00 00  |0.......0.......|
00000070  08 00 00 00 00 00 00 00  03 00 00 00 04 00 00 00  |................|
00000080  70 02 00 00 00 00 00 00  70 02 40 00 00 00 00 00  |p.......p.@.....|
00000090  70 02 40 00 00 00 00 00  1c 00 00 00 00 00 00 00  |p.@.............|
000000a0  1c 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
000000b0  01 00 00 00 05 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 40 00 00 00 00 00  00 00 40 00 00 00 00 00  |..@.......@.....|
000000d0  b4 11 00 00 00 00 00 00  b4 11 00 00 00 00 00 00  |................|
000000e0  00 00 20 00 00 00 00 00  01 00 00 00 06 00 00 00  |.. .............|
000000f0  e0 1d 00 00 00 00 00 00  e0 1d 60 00 00 00 00 00  |..........`.....|
00000100  e0 1d 60 00 00 00 00 00  b0 02 00 00 00 00 00 00  |..`.............|
00000110  c8 02 00 00 00 00 00 00  00 00 20 00 00 00 00 00  |.......... .....|
00000120  02 00 00 00 06 00 00 00  08 1e 00 00 00 00 00 00  |................|
00000130  08 1e 60 00 00 00 00 00  08 1e 60 00 00 00 00 00  |..`.......`.....|
00000140  b0 01 00 00 00 00 00 00  b0 01 00 00 00 00 00 00  |................|
00000150  08 00 00 00 00 00 00 00  04 00 00 00 04 00 00 00  |................|
00000160  8c 02 00 00 00 00 00 00  8c 02 40 00 00 00 00 00  |..........@.....|
00000170  8c 02 40 00 00 00 00 00  20 00 00 00 00 00 00 00  |..@..... .......|
00000180  20 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  | ...............|
00000190  50 e5 74 64 04 00 00 00  b4 10 00 00 00 00 00 00  |P.td............|
000001a0  b4 10 40 00 00 00 00 00  b4 10 40 00 00 00 00 00  |..@.......@.....|
000001b0  34 00 00 00 00 00 00 00  34 00 00 00 00 00 00 00  |4.......4.......|
000001c0  04 00 00 00 00 00 00 00  51 e5 74 64 06 00 00 00  |........Q.td....|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
00000200  52 e5 74 64 04 00 00 00  e0 1d 00 00 00 00 00 00  |R.td............|
00000210  e0 1d 60 00 00 00 00 00  e0 1d 60 00 00 00 00 00  |..`.......`.....|
00000220  20 02 00 00 00 00 00 00  20 02 00 00 00 00 00 00  | ....... .......|
00000230  01 00 00 00 00 00 00 00  80 15 04 65 00 28 00 00  |...........e.(..|
00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000260  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
00000270  2f 6c 69 62 36 34 2f 6c  64 2d 6c 69 6e 75 78 2d  |/lib64/ld-linux-|
00000280  78 38 36 2d 36 34 2e 73  6f 2e 32 00 04 00 00 00  |x86-64.so.2.....|
00000290  10 00 00 00 01 00 00 00  47 4e 55 00 00 00 00 00  |........GNU.....|
000002a0  02 00 00 00 06 00 00 00  09 00 00 00 00 00 00 00  |................|
000002b0  3b 00 00 00 24 00 00 00  15 00 00 00 1f 00 00 00  |;...$...........|
000002c0  00 00 00 00 00 00 00 00  00 00 00 00 0a           |.............|
000002cd
Back to top
View user's profile Send private message
turtles
Veteran
Veteran


Joined: 31 Dec 2004
Posts: 1235

PostPosted: Tue Nov 12, 2013 7:48 am    Post subject: Reply with quote

can you pastbin the original?
what type of machine was it written for?
_________________
Donate to Gentoo
Back to top
View user's profile Send private message
BitJam
Advocate
Advocate


Joined: 12 Aug 2003
Posts: 2454
Location: Silver City, NM

PostPosted: Tue Nov 12, 2013 8:15 am    Post subject: Reply with quote

I now think it is benign. I think it is a bug in Perl (or elsewhere?). It copies the Perl binary instead of file that is supposed to be output. I think the file handles are getting mixed up.

I re-installed Perl and there was no change. It seems to be triggered by certain path/filenames of the little Perl script. OTOH, if I create the same file and directory structure elsewhere, I can't reproduce the bug. The bug seems to depend only on the path/filename of the script. A buggy script will reproduce the bug regardless of the name of the input file or even with input from stdin.

When I reinstall Perl, the md5sum of the binary changes but the length stays the same, which is expected. The bug remains and the new Perl binary gets copied to stdout. I use Perl all the time and it does not seem to be unreliable. I think this is a rare bug. Although I wonder if this is what caused Spam Assassin to go haywire.

This is on an amd-64 system.
Back to top
View user's profile Send private message
limn
l33t
l33t


Joined: 13 May 2005
Posts: 903

PostPosted: Tue Nov 12, 2013 12:18 pm    Post subject: Reply with quote

This did not sound like a virus. More like an inode confusion from your crashes.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum