LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-09-2011, 02:25 PM   #1
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Rep: Reputation: 0
Strange process found (Bluetooth kernel module, s2u)


Had a look processes of my computer with ps ax
and found a bluetooth process even I don't have bluetooth !
That process had high priority and I was not able to kill anyhow !
Had to reboot to get rid of it .

7165 ? S< 0:00 [bluetooth]
8712 ? Ss 0:00 /usr/sbin/mandi -d
12811 ? Sl 0:05 kdeinit4: konsole [kdeinit]

My question: what or who can started that process ?
Had a chkrootkit, nothing found.
Hmmm.
 
Old 04-09-2011, 02:44 PM   #2
vtel57
Member
 
Registered: Jul 2006
Location: VPN Tunnel, USA
Distribution: Slackware64
Posts: 917

Rep: Reputation: 105Reputation: 105
That is a normal process. It was started when you booted up. I'm not positive how this works in Mandriva, but you should be able to go to /etc/rc.d and remove the x permissions of the bluetooth init script to get it to stop loading on boot.

Code:
# chmod -x /etc/rc.d/bluetooth
Stand by for advice from someone more familiar with Mandriva who can confirm my method or give you a better one.

Luck!

~Eric
 
1 members found this post helpful.
Old 04-10-2011, 11:19 AM   #3
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Thanks Eric,
but why was this process just appearing once ?
There had been no changes at configuration, no new programs installed
or installed programs removed.
What makes me concerned, that process never happened before or afterwards, booted
several times in the meantime and that process never appeared again!
So, my question refined:
Is there any way to figure out what minstrel has started that process ?
An accidentally pressed button at my computer ?
Can this process started external from another machine ?
thanks
robeich
 
Old 04-10-2011, 11:55 AM   #4
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Had look at /etc/rc.d there is no bluetooth, hmmm
 
Old 04-10-2011, 01:30 PM   #5
vtel57
Member
 
Registered: Jul 2006
Location: VPN Tunnel, USA
Distribution: Slackware64
Posts: 917

Rep: Reputation: 105Reputation: 105
Hi robeich...

Bluetooth is a proprietary open wireless technology standard
. It's include in most Linux distributions and usually starts automatically. The operating system assumes you have/use Bluetooth devices. It's been a long time since I ran Mandriva on any of my systems, so I can't remember how their daemons are started at boot.

The Bluetooth daemon that you see starting on your system is harmless. However, there definitely is a way to prevent it from starting. I just don't know for sure how to do it. You could try this --> http://wiki.mandriva.com/fr/Service <-- that is the drakxservices doc page at the Mandriva wiki. Unfortunately, it's only in French. You can see from the picture, though, that you can disable and enable services using the drakxservices tool.

Give that a shot. Be careful what you turn off. You may need some of that stuff for your system to work properly. As far as the bluetooth goes, though, if you're not running any Bluetooth devices, you can probably safely disable that one.

Luck!

~Eric

Last edited by vtel57; 04-10-2011 at 01:31 PM.
 
Old 04-10-2011, 02:08 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by vtel57 View Post
That is a normal process. It was started when you booted up.
Please keep that in mind that guessing the purpose of a process solely from an arbitrary string can be misleading as changing argv[0] is trivial. (And saying something is "harmless" may seem harmless to you but strictly speaking you have no evidence at all this is the case.)

In this case the square brackets around the "bluetooth" string should denote this as a kernel thread but only if its parent PID is equal to the PID of the "kthread" kernel process. When I run internal or external Bluetooth devices and bluetooth services on two separate machines with different 2.6 kernels I don't see any "[bluetooth]" thread BTW.
 
Old 04-10-2011, 02:50 PM   #7
vtel57
Member
 
Registered: Jul 2006
Location: VPN Tunnel, USA
Distribution: Slackware64
Posts: 917

Rep: Reputation: 105Reputation: 105
Well, you definitely seem more knowledgeable on this subject than I am. Thanks for stepping in with clarification. If you can help the original poster, please do. I'll step aside.

Regards,

~Eric
 
Old 04-10-2011, 06:48 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by robeich View Post
Is there any way to figure out what minstrel has started that process ?
Best check your system logs up to the time you encountered the Bluetooth kernel thread in the process list. Does your machine have an internal BT device or an external one? Do you connect, or did you try to configure, any external BT devices (mouse, audio, phone, etc) or do you use Bluetooth for networking (PAN)?
 
Old 04-11-2011, 05:56 AM   #9
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
I checked /var/log/messages and /var/log/security.log .
Ichecked again and found this :

pr 8 10:59:38 hpsmall ifplugd(eth0)[1388]: Link beat lost.
Apr 8 10:59:38 hpsmall klogd: tg3: eth0: Link is up at 100 Mbps, full duplex.
Apr 8 10:59:38 hpsmall klogd: tg3: eth0: Flow control is on for TX and on for RX.
Apr 8 10:59:39 hpsmall ifplugd(eth0)[1388]: Link beat detected.
Apr 8 10:59:57 hpsmall klogd: Shorewall:net2fwROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=47 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3072 DPT=514 LEN=27
Apr 8 10:59:57 hpsmall klogd: Shorewall:net2fwROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=1 DF PROTO=UDP SPT=3072 DPT=514 LEN=57
Apr 8 10:59:58 hpsmall net_applet[5014]: running: /usr/sbin/drakids
Apr 8 10:59:58 hpsmall drakids[8886]: ### Program is starting ###
Apr 8 11:00:01 hpsmall CROND[8892]: (root) CMD ( /usr/share/msec/promisc_check.sh)
Apr 8 11:00:01 hpsmall msec: Security warning : eth0 is in promiscuous mode.
Apr 8 11:00:01 hpsmall msec: A sniffer is probably running on your system.
Apr 8 11:00:01 hpsmall msec: Security warning : eth0 is in promiscuous mode.
Apr 8 11:00:01 hpsmall msec: A sniffer is probably running on your system.


The computer is a hp thin client hpt5730 and I just had a look onto hardware manual
and there is no bluetooth mentioned.
As well I have to say again there is no bluetooth device connected at this computer.
And had a look to Software management at Control Center and realized I did
not have installed any bluetooth software !

What to hell is going on at my machine, how did they come through the first firewall of my netgear MBR624GU.
hmmm
thanks
robeich

Last edited by robeich; 04-11-2011 at 07:00 AM.
 
Old 04-11-2011, 09:39 AM   #10
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Just realized that I'm using tcpdump that's probably my sniffer !

As well I found this in /var/log/messages:

Apr 8 10:39:54 hpsmall klogd: Bluetooth: Core ver 2.15
Apr 8 10:39:54 hpsmall klogd: NET: Registered protocol family 31
Apr 8 10:39:54 hpsmall klogd: Bluetooth: HCI device and connection manager initialized
Apr 8 10:39:54 hpsmall klogd: Bluetooth: HCI socket layer initialized
Apr 8 10:39:54 hpsmall klogd: device eth0 entered promiscuous mode
Apr 8 10:39:54 hpsmall klogd: device eth0 left promiscuous mode

Now I'm totally confused, is there a bluetooth at my hp thin client without the knowledge of anybody or ?????

now I feel a little bit dizzy
robeich
 
Old 04-11-2011, 11:14 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Running 'lspci; lsusb' should show.
 
1 members found this post helpful.
Old 04-12-2011, 05:11 AM   #12
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
thanks unSpawn here is the result :

00:00.0 Host bridge: ATI Technologies Inc RS690 Host Bridge
00:01.0 PCI bridge: ATI Technologies Inc RS690 PCI to PCI Bridge (Internal gfx)
00:04.0 PCI bridge: ATI Technologies Inc Device 7914
00:13.0 USB Controller: ATI Technologies Inc SB600 USB (OHCI0)
00:13.1 USB Controller: ATI Technologies Inc SB600 USB (OHCI1)
00:13.2 USB Controller: ATI Technologies Inc SB600 USB (OHCI2)
00:13.3 USB Controller: ATI Technologies Inc SB600 USB (OHCI3)
00:13.4 USB Controller: ATI Technologies Inc SB600 USB (OHCI4)
00:13.5 USB Controller: ATI Technologies Inc SB600 USB Controller (EHCI)
00:14.0 SMBus: ATI Technologies Inc SBx00 SMBus Controller (rev 14)
00:14.1 IDE interface: ATI Technologies Inc SB600 IDE
00:14.2 Audio device: ATI Technologies Inc SBx00 Azalia (Intel HDA)
00:14.3 ISA bridge: ATI Technologies Inc SB600 PCI to LPC Bridge
00:14.4 PCI bridge: ATI Technologies Inc SBx00 PCI to PCI Bridge
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:05.0 VGA compatible controller: ATI Technologies Inc RS690M [Radeon X1200 Series]
02:00.0 Ethernet controller: Broadcom Corporation NetLink BCM5787M Gigabit Ethernet PCI Express (rev 02)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0d49:7310 Maxtor
Bus 001 Device 003: ID 04fc:0c25 Sunplus Technology Co., Ltd SATALink SPIF225A
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

It seems no bluetooth hmmm
robeich
 
Old 04-12-2011, 11:57 AM   #13
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Now it's getting HOT
That bluetooth process appeared again:

9748 ? S 0:00 kdeinit4: kio_file [kdeinit] file local:/home/rob/tmp/ksocket-rob/klauncherMT3116.slave-socket local:/home/rob/tmp/ksocket-rob/dolphinLf3749.slave-socket
14321 ? S< 0:00 [bluetooth]
14607 ? Sl 0:01 kdeinit4: konsole [kdeinit]
14610 pts/2 Ss 0:00 /bin/bash
14638 pts/2 S 0:00 su
14671 pts/2 S 0:00 bash
14980 ? S 0:00 kdeinit4: kio_thumbnail [kdeinit] thumbnail local:/home/rob/tmp/ksocket-rob/klauncherMT3116.slave-socket local:/home/rob/tmp/ksocket-rob/dolphinzY3749.slave-socke
15143 pts/2 R+ 0:00 ps ax

and now the HIT:
a red box with white letters right in top of date and time appeared for about 2 seconds told me:leave or restart computer

and I got another new strange process:

2023 ? Ss 0:00 s2u --daemon=yes

uiuiui
robeich
 
Old 04-12-2011, 12:56 PM   #14
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
What do those processes /proc directories look like?

cwd = current working directory of the process
exe = copy of the executable
fd = open file descriptors

Or how about lsof's of the processes?

nomb
 
Old 04-13-2011, 01:52 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by robeich View Post
It seems no bluetooth hmmm
Agree.


Quote:
Originally Posted by robeich View Post
Code:
14321 ?        S<     0:00 [bluetooth]
Next time try listing processes with '/bin/ps axfwwwo pid,ppid,pgid,sid,sess,uid,cmd --sort=ppid' as that provides more info. In addition to the ls-like commands above try running 'lsmod; grep -r /etc/modprobe.conf /etc/modprobe.d -e bluetooth 2>/dev/null' as that would show if there's any BT modules are configured or getting loaded.


Quote:
Originally Posted by robeich View Post
a red box with white letters right in top of date and time appeared for about 2 seconds told me:leave or restart computer
This might be an update process. Check your distributions (automated) update procedures.


Quote:
Originally Posted by robeich View Post
and I got another new strange process:
Code:
 2023 ?        Ss     0:00 s2u --daemon=yes
Given a process name you might try 'which s2u; locate s2u; whatis s2u' and given its PID you might try 'lsof -Pwln [PID]' to gather nfo.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LKMs giving strange error on installation of kernel module k0der Linux - Kernel 2 06-14-2009 04:37 AM
2in1 problem thread. (nvidia kernel module vs X module, and strange workbug phenom) htedrom Linux - Software 15 10-04-2007 11:55 PM
How to create new process from within loadable kernel module? mtb001 Programming 5 09-01-2007 12:09 AM
Kernel module programming Error : module not found coolguy_iiit Programming 1 07-30-2006 08:23 AM
Message with kernel No module aic7xxx found for kernel 2.4.28 abefroman Red Hat 1 01-31-2005 07:41 AM


All times are GMT -5. The time now is 03:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration