| View previous topic :: View next topic |
| Author |
Message |
BitJam
Advocate
Joined: 12 Aug 2003
Posts: 2513
Location: Silver City, NM
|
 Posted: Sat Nov 09, 2013 1:33 am Post subject: Is my Perl spreading a virus? Or detecting one? |
 |
|
I've hit a bizarre problem that I don't understand. I was writing yet another Perl filter program to munge up some other code. I noticed that when I ran the Perl program and had the output sent to stdout, characters would fill my command line.
I reduced the Perl program to: | Code: | #!/usr/bin/perl
while (<>) {
print;
} |
and the problem persisted although if I write that same program from scratch, it acts normally. If I copy the program to another file and run it then it acts normally. The problematic program plays the same tricks regardless of what the input file is.
Here is a hexdump -C of the Perl code that is acting up: | Code: | 00000000 23 21 2f 75 73 72 2f 62 69 6e 2f 70 65 72 6c 0a |#!/usr/bin/perl.|
00000010 0a 77 68 69 6c 65 20 28 3c 3e 29 20 7b 0a 20 20 |.while (<>) {. |
00000020 20 20 70 72 69 6e 74 3b 0a 7d 0a 0a | print;.}..|
0000002c |
A little more investigation showed that the top of the output file was overwritten with binary. Writing this raw binary to the screen is what was causing a bunch of characters to show up on my command line. The binary about 9K bytes (update: I had previously said 717 bytes) long and starts with hex 7F followed by "ELF" which makes me suspect it is a tiny executable and suspect that a virus is involved.
I've recently had a couple of crashes due to quickly running out of memory. The last time this happened I suspected Spam-Assassin because almost nothing else was running. It is now disabled. My wild guess is that SA was processing malicious email that used an OOM condition to infect Perl.
Edit: If I store the binary in a file and then run the "file" program on it I get: | Code: | | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped |
Edit-2: I re-emerged Perl but the problem persisted. It seems to be related to the path and filename of the executable Perl script. Sometimes copying and/or renaming fixes the problem and sometimes it doesn't. Changing the shebang line to:[code[#!/usr/bin/env perl[/code]does not fix the problem. Even running it via Perl directly does not fix the problem: | Code: | | perl Tools/renumber-parts.pl |
If I rename the program to rnp.pl then the problem goes away.
Below is a hexdump of the start of the binary that gets spit out:
| Code: | 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 3e 00 01 00 00 00 9c 0e 40 00 00 00 00 00 |..>.......@.....|
00000020 40 00 00 00 00 00 00 00 68 21 00 00 00 00 00 00 |@.......h!......|
00000030 00 00 00 00 40 00 38 00 0a 00 40 00 1b 00 1a 00 |....@.8...@.....|
00000040 06 00 00 00 05 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
00000050 40 00 40 00 00 00 00 00 40 00 40 00 00 00 00 00 |@.@.....@.@.....|
00000060 30 02 00 00 00 00 00 00 30 02 00 00 00 00 00 00 |0.......0.......|
00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 |................|
00000080 70 02 00 00 00 00 00 00 70 02 40 00 00 00 00 00 |p.......p.@.....|
00000090 70 02 40 00 00 00 00 00 1c 00 00 00 00 00 00 00 |p.@.............|
000000a0 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
000000b0 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 |..@.......@.....|
000000d0 b4 11 00 00 00 00 00 00 b4 11 00 00 00 00 00 00 |................|
000000e0 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 |.. .............|
000000f0 e0 1d 00 00 00 00 00 00 e0 1d 60 00 00 00 00 00 |..........`.....|
00000100 e0 1d 60 00 00 00 00 00 b0 02 00 00 00 00 00 00 |..`.............|
00000110 c8 02 00 00 00 00 00 00 00 00 20 00 00 00 00 00 |.......... .....|
00000120 02 00 00 00 06 00 00 00 08 1e 00 00 00 00 00 00 |................|
00000130 08 1e 60 00 00 00 00 00 08 1e 60 00 00 00 00 00 |..`.......`.....|
00000140 b0 01 00 00 00 00 00 00 b0 01 00 00 00 00 00 00 |................|
00000150 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 |................|
00000160 8c 02 00 00 00 00 00 00 8c 02 40 00 00 00 00 00 |..........@.....|
00000170 8c 02 40 00 00 00 00 00 20 00 00 00 00 00 00 00 |..@..... .......|
00000180 20 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 | ...............|
00000190 50 e5 74 64 04 00 00 00 b4 10 00 00 00 00 00 00 |P.td............|
000001a0 b4 10 40 00 00 00 00 00 b4 10 40 00 00 00 00 00 |..@.......@.....|
000001b0 34 00 00 00 00 00 00 00 34 00 00 00 00 00 00 00 |4.......4.......|
000001c0 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 |........Q.td....|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 |................|
00000200 52 e5 74 64 04 00 00 00 e0 1d 00 00 00 00 00 00 |R.td............|
00000210 e0 1d 60 00 00 00 00 00 e0 1d 60 00 00 00 00 00 |..`.......`.....|
00000220 20 02 00 00 00 00 00 00 20 02 00 00 00 00 00 00 | ....... .......|
00000230 01 00 00 00 00 00 00 00 80 15 04 65 00 28 00 00 |...........e.(..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000260 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 |................|
00000270 2f 6c 69 62 36 34 2f 6c 64 2d 6c 69 6e 75 78 2d |/lib64/ld-linux-|
00000280 78 38 36 2d 36 34 2e 73 6f 2e 32 00 04 00 00 00 |x86-64.so.2.....|
00000290 10 00 00 00 01 00 00 00 47 4e 55 00 00 00 00 00 |........GNU.....|
000002a0 02 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00 |................|
000002b0 3b 00 00 00 24 00 00 00 15 00 00 00 1f 00 00 00 |;...$...........|
000002c0 00 00 00 00 00 00 00 00 00 00 00 00 0a |.............|
000002cd |
|
|
| Back to top |
|
 |
turtles
Veteran
Joined: 31 Dec 2004
Posts: 1698
|
| Posted: Tue Nov 12, 2013 7:48 am Post subject: |
|
|
can you pastbin the original?
what type of machine was it written for?
_________________
Donate to Gentoo |
|
| Back to top |
|
|
BitJam
Advocate
Joined: 12 Aug 2003
Posts: 2513
Location: Silver City, NM
|
| Posted: Tue Nov 12, 2013 8:15 am Post subject: |
|
|
I now think it is benign. I think it is a bug in Perl (or elsewhere?). It copies the Perl binary instead of file that is supposed to be output. I think the file handles are getting mixed up.
I re-installed Perl and there was no change. It seems to be triggered by certain path/filenames of the little Perl script. OTOH, if I create the same file and directory structure elsewhere, I can't reproduce the bug. The bug seems to depend only on the path/filename of the script. A buggy script will reproduce the bug regardless of the name of the input file or even with input from stdin.
When I reinstall Perl, the md5sum of the binary changes but the length stays the same, which is expected. The bug remains and the new Perl binary gets copied to stdout. I use Perl all the time and it does not seem to be unreliable. I think this is a rare bug. Although I wonder if this is what caused Spam Assassin to go haywire.
This is on an amd-64 system. |
|
| Back to top |
|
|
limn
l33t
Joined: 13 May 2005
Posts: 997
|
| Posted: Tue Nov 12, 2013 12:18 pm Post subject: |
|
|
| This did not sound like a virus. More like an inode confusion from your crashes. |
|
| Back to top |
|
|
|
Networking & Security
