LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 12-28-2007, 11:55 PM   #1
bjharker
LQ Newbie
 
Registered: Jan 2006
Distribution: Fedora 8 & 11, CentOS 5, Debian Etch, Slackware 12.2
Posts: 26

Rep: Reputation: 15
ps aux shows process -:0 running with root priveleges


Interesting. The title says it all. Just wondering what the hell this is. Have been searching the filesystem for it and I'm pretty sure I'm escaping the characters correctly, but haven't found it. Any ideas?


openSUSE 10.1 on P4 (2.67 GHz) HP Pavilion zd7000 Notebook with 256 MB RAM.

Thanks
 
Old 12-29-2007, 05:28 AM   #2
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
this is propably the init process, "your running kernel", kill it and your system will halt
 
Old 12-29-2007, 06:39 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Quote:
Originally Posted by bjharker View Post
Interesting. The title says it all.
No it doesn't. Better post the exact 'ps' line. Even better, having the PID, check with 'lsof -w -n -p $PID' and verify what files you find.


Quote:
Originally Posted by doc.nice View Post
this is propably the init process
While this may not be problematic in this case I would like to warn for making the assumption that the argv[0] of a process has any relation to the process itself. Without going into rootkits and stuff, for a benign example of what I mean see 'man doexec'.
 
Old 12-29-2007, 08:08 PM   #4
bjharker
LQ Newbie
 
Registered: Jan 2006
Distribution: Fedora 8 & 11, CentOS 5, Debian Etch, Slackware 12.2
Posts: 26

Original Poster
Rep: Reputation: 15
Thanks for the replies...

Here's the offending line of output:

$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
...
root 3028 0.0 0.3 3656 1636 ? S 07:41 0:00 -:0
...


This "COMMAND" seems very odd to me. Here's the output of lsof:



PID=3028
$ lsof -w -n -p $PID
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
kdm 3028 root mem REG 3,5 136468 63416 /opt/kde3/bin/kdm
kdm 3028 root mem REG 0,0 0 [heap] (stat: No such file or directory)
kdm 3028 root mem REG 3,5 27300 20918 /usr/lib/libcrack.so.2.8.0
kdm 3028 root mem REG 3,5 53488 19511 /lib/libxcrypt.so.1.2.4
kdm 3028 root mem REG 3,5 3036 24188 /lib/security/pam_deny.so
kdm 3028 root mem REG 3,5 12896 32915 /lib/libresmgr.so.1.0.0
kdm 3028 root mem REG 3,5 6200 32916 /lib/security/pam_resmgr.so
kdm 3028 root mem REG 3,5 11840 25988 /lib/security/pam_devperm.so
kdm 3028 root mem REG 3,5 29556 25993 /lib/security/pam_pwcheck.so
kdm 3028 root mem REG 3,5 42109 15586 /lib/libnss_files-2.4.so
kdm 3028 root mem REG 3,5 41986 15590 /lib/libnss_nis-2.4.so
kdm 3028 root mem REG 3,5 87850 15580 /lib/libnsl-2.4.so
kdm 3028 root mem REG 3,5 31943 15582 /lib/libnss_compat-2.4.so
kdm 3028 root mem REG 3,5 53684 23872 /usr/X11R6/lib/libXext.so.6.4
kdm 3028 root mem REG 3,5 11692 24198 /lib/security/pam_limits.so
kdm 3028 root mem REG 3,5 52356 26052 /lib/security/pam_unix2.so
kdm 3028 root mem REG 3,5 10020 24190 /lib/security/pam_env.so
kdm 3028 root mem REG 3,5 4092 24216 /lib/security/pam_warn.so
kdm 3028 root mem REG 3,5 1404242 15569 /lib/libc-2.4.so
kdm 3028 root mem REG 3,5 12789 15603 /lib/libutil-2.4.so
kdm 3028 root mem REG 3,5 74278 15597 /lib/libresolv-2.4.so
kdm 3028 root mem REG 3,5 13814 15575 /lib/libdl-2.4.so
kdm 3028 root mem REG 3,5 44120 24179 /lib/libpam.so.0.81.2
kdm 3028 root mem REG 3,5 18056 23868 /usr/X11R6/lib/libXdmcp.so.6.0
kdm 3028 root mem REG 3,5 7724 23854 /usr/X11R6/lib/libXau.so.6.0
kdm 3028 root mem REG 3,5 1019208 23848 /usr/X11R6/lib/libX11.so.6.2
kdm 3028 root mem REG 3,5 14368 23874 /usr/X11R6/lib/libXfixes.so.3.0
kdm 3028 root mem REG 3,5 29836 23896 /usr/X11R6/lib/libXrender.so.1.2.2
kdm 3028 root mem REG 3,5 33552 23864 /usr/X11R6/lib/libXcursor.so.1.0.2
kdm 3028 root mem REG 3,5 124463 15562 /lib/ld-2.4.so

What do you guys think? Is this even anything to worry about?
 
Old 12-30-2007, 05:12 PM   #5
bjharker
LQ Newbie
 
Registered: Jan 2006
Distribution: Fedora 8 & 11, CentOS 5, Debian Etch, Slackware 12.2
Posts: 26

Original Poster
Rep: Reputation: 15
btw, I don't see this on my other machine running FC4 (kernel 2.6.23.11)
 
Old 12-31-2007, 04:07 AM   #6
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
oh, sorry, this was really a quick shot, having new information and clearly reading the :0, I try another (imho much better) guess:

This is the kdm process spawned by init, awaiting your X-login...
 
Old 01-01-2008, 09:20 PM   #7
bjharker
LQ Newbie
 
Registered: Jan 2006
Distribution: Fedora 8 & 11, CentOS 5, Debian Etch, Slackware 12.2
Posts: 26

Original Poster
Rep: Reputation: 15
Thanks for the info...I was just a little suspicious, seeing references to security-related stuff from lsof.

Cheers!
 
Old 01-02-2008, 02:30 PM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
Quote:
Originally Posted by doc.nice View Post
This is the kdm process spawned by init, awaiting your X-login...
Maybe, at least very close -- to properly investigate this, you need to remember 2 things: the "tree" style output & that however dearly you love, & always use, the BSD forms/options w/ ps, the UNIX options are different & may be more useful in this case. Compare these partial outputs from ps auxf (BSD) & ps -ejH ("UNIX"):
Code:
TTY          TIME COMMAND
?            0:00 /usr/bin/kdm
tty7       201:22  \_ /usr/bin/X -br -dpi 100 -nolisten tcp :0 vt7
?            0:00  \_ -:0
?            0:00      \_ /bin/sh /usr/bin/x-session-manager
?            0:00          \_ /usr/bin/ssh-agent /usr/bin/dbus-launch ...
?            0:00          \_ kwrapper ksmserver
Code:
TTY          TIME CMD
?        00:00:00   kdm
tty7     03:21:38     Xorg
?        00:00:00     kdm
?        00:00:00       x-session-manag
?        00:00:00         ssh-agent
?        00:00:00         kwrapper
(Note: I have trimmed both lines & columns, including PID, PGID, & SID to get to the essence.)

I think that "-:0" is screen 0 of X Window System; or, perhaps, its root window.

Last edited by archtoad6; 01-02-2008 at 02:35 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can't find my jboss process with ps aux, what is the command to list background proce Niceman2005 Linux - General 3 08-18-2012 05:11 AM
ps -aux ---> /usr/sbin/sendmail -i -FCronDaemon -oem root ?? PDASquare Linux - General 2 03-29-2006 09:22 PM
user shows up as a number in ps aux chibi Linux - General 3 05-04-2005 08:40 AM
snmp staus shows it running but on trying MRTG, it shows public@ipaddr not giving res swati220781 Linux - Networking 3 07-08-2004 05:32 PM
ps -aux output: CROND running repeatedly redhatman Linux - Newbie 1 03-29-2004 08:51 PM


All times are GMT -5. The time now is 03:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration