LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-06-2004, 12:29 PM   #1
xconspirisist
Member
 
Registered: Dec 2002
Location: United Kingdom
Distribution: Ubuntu
Posts: 276

Rep: Reputation: 30
A linux virus / very odd bug?


http://www.technowax.net/null/systemmoniter.jpg

There is a whole load of processes's without a name, which seems extraordinarily strange. Can anyone explain why this might happen, how do you list processes from the command line?
 
Old 12-06-2004, 12:40 PM   #2
shmonkey
Member
 
Registered: Nov 2004
Location: UK
Distribution: Ubuntu
Posts: 118

Rep: Reputation: 15
Could be a gnome-system-monitor bug.
Have you tried ps -aux in a terminal ?
 
Old 12-07-2004, 03:48 AM   #3
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 61
Or maybe a permissions issue?
 
Old 12-18-2004, 06:14 AM   #4
xconspirisist
Member
 
Registered: Dec 2002
Location: United Kingdom
Distribution: Ubuntu
Posts: 276

Original Poster
Rep: Reputation: 30
Here is a screenshot, it looks awfully odd. Reboots havnt fixed it either.

http://www.technowax.net/img/noprocess.png

Running gnome-system-moniter as root makes no difference. Here is the output of ps -aux, but I cant interperate it;

Code:
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1  2360  568 ?        S    Dec14   0:05 init [3]
root         2  0.0  0.0     0    0 ?        SN   Dec14   0:00 [ksoftirqd/0]
root         3  0.0  0.0     0    0 ?        S<   Dec14   0:01 [events/0]
root         4  0.0  0.0     0    0 ?        S<   Dec14   0:00 [kblockd/0]
root         6  0.0  0.0     0    0 ?        S<   Dec14   0:00 [khelper]
root         5  0.0  0.0     0    0 ?        S    Dec14   0:00 [khubd]
root        10  0.0  0.0     0    0 ?        S<   Dec14   0:00 [aio/0]
root         9  0.0  0.0     0    0 ?        S    Dec14   0:00 [kswapd0]
root       120  0.0  0.0     0    0 ?        S    Dec14   0:00 [kseriod]
root       159  0.0  0.0     0    0 ?        S    Dec14   0:00 [kjournald]
root       586  0.0  0.0  1572  460 ?        S<s  Dec14   0:00 udevd
root      1241  0.0  0.0     0    0 ?        S    Dec14   0:00 [usb-storage]
root      1242  0.0  0.0     0    0 ?        S    Dec14   0:00 [scsi_eh_0]
root      1662  0.0  0.0     0    0 ?        S    Dec14   0:00 [kjournald]
root      1663  0.0  0.0     0    0 ?        S    Dec14   0:00 [kjournald]
root      1664  0.0  0.0     0    0 ?        S    Dec14   0:00 [kjournald]
root      2100  0.0  0.1  2820  588 ?        Ss   Dec14   0:00 syslogd -m 0
root      2104  0.0  0.0  2432  476 ?        Ss   Dec14   0:00 klogd -x
rpc       2123  0.0  0.1  2252  596 ?        Ss   Dec14   0:00 portmap
rpcuser   2142  0.0  0.1  3268  740 ?        Ss   Dec14   0:00 rpc.statd
root      2199  0.0  0.1  3688  580 ?        Ss   Dec14   0:15 nifd -n
nobody    2222  0.0  0.1 14264  984 ?        Ssl  Dec14   0:00 mDNSResponder
root      2233  0.0  0.1  3136  788 ?        S    Dec14   0:00 /usr/sbin/smartd
snort     2242  0.0  6.9 39940 35832 ?       Ss   Dec14   0:19 snort -u snort -g
root      2251  0.0  0.1  3188  540 ?        Ss   Dec14   0:00 /usr/sbin/acpid
pcap      2264  0.0  0.1  2580  832 ?        Ss   Dec14   0:01 p0f -d -o /var/lo
root      2292  0.0  0.1  3076  824 ?        Ss   Dec14   0:00 xinetd -stayalive
root      2320  0.0  0.1  2352  548 ?        Ss   Dec14   0:00 gpm -m /dev/input
root      2554  0.0  0.1  4252  800 ?        Ss   Dec14   0:00 crond
xfs       2575  0.0  0.5  5964 2928 ?        Ss   Dec14   0:00 xfs -droppriv -da
daemon    2592  0.0  0.1  2688  628 ?        Ss   Dec14   0:00 /usr/sbin/atd
dbus      2601  0.0  0.2  3496 1104 ?        Ss   Dec14   0:04 dbus-daemon-1 --s
root      2610  0.0  1.3 10188 7116 ?        Ss   Dec14   2:01 hald
root      2618  0.0  0.2  4352 1164 ?        Ss   Dec14   0:00 login -- root
root      2619  0.0  0.2  3904 1332 ?        Ss   Dec14   0:00 login -- xconspir
root      2620  0.0  0.0  2628  404 tty4     Ss+  Dec14   0:00 /sbin/mingetty --
root      2621  0.0  0.0  2216  404 tty5     Ss+  Dec14   0:00 /sbin/mingetty --
root      2622  0.0  0.0  2624  404 tty6     Ss+  Dec14   0:00 /sbin/mingetty --
500       3375  0.0  1.7 13444 9040 ?        S    Dec14   0:03 /usr/libexec/gcon
root      3673  0.0  0.0     0    0 ?        S    Dec14   0:00 [pdflush]
root      3674  0.0  0.0     0    0 ?        S    Dec14   0:00 [pdflush]
root      7801  0.0  0.2  5280 1428 tty2     Ss   Dec16   0:00 -bash
root      8006  0.0  0.2  5368 1068 tty2     S    Dec16   0:00 su
root      8007  0.0  0.2  4856 1428 tty2     S+   Dec16   0:00 bash
500       8046  0.0  0.2  4712 1436 tty3     Ss   Dec16   0:00 -bash
root      8308  0.0  0.0  2268  404 tty1     Ss+  Dec16   0:00 /sbin/mingetty --
root      8454  0.0  0.2  3432 1384 ?        S    Dec16   0:22 NetworkManager
500      11185  0.0  0.2  3024 1176 ?        S    Dec17   0:01 /usr/libexec/gam_
500      11288  0.0  0.1  5540 1020 tty3     S+   Dec17   0:00 /bin/sh /usr/X11R
500      11299  0.0  0.1  3716  588 tty3     S+   Dec17   0:00 xinit /etc/X11/xi
root     11300  1.5 11.1 72540 57460 ?       SL   Dec17  10:29 X :0
500      11330  0.0  1.2 20412 6324 tty3     S    Dec17   0:00 /usr/bin/gnome-se
500      11342  0.0  0.1  4336  868 ?        Ss   Dec17   0:00 ssh-agent /etc/X1
500      11347  0.0  0.1  2796  908 tty3     S    Dec17   0:00 /usr/bin/gnome-ke
500      11349  0.0  0.5  8328 2688 ?        Ss   Dec17   0:00 /usr/libexec/bono
500      11351  0.0  1.7 17296 9164 ?        Ss   Dec17   0:04 metacity --sm-sav
500      11353  0.0  1.4 20504 7508 ?        S    Dec17   0:00 /usr/libexec/gnom
500      11366  0.0  0.4  4740 2376 ?        S    Dec17   0:01 xscreensaver -nos
500      11374  0.0  3.8 44484 19804 ?       Ssl  Dec17   0:01 nautilus --sm-con
500      11376  0.0  1.2 20416 6568 ?        Ss   Dec17   0:00 gnome-volume-mana
500      11379  0.0  2.6 26340 13900 ?       Ss   Dec17   0:02 /usr/bin/gnome-pa
500      11394  0.0  0.7 22052 3660 ?        Sl   Dec17   0:00 /usr/libexec/gnom
500      11396  0.8  9.9 118432 51388 ?      Ssl  Dec17   5:51 epiphany --sm-con
500      11413  0.0  0.1  3792  696 ?        S    Dec17   0:00 /usr/libexec/mapp
500      11428  0.0  2.2 24244 11608 ?       S    Dec17   0:04 /usr/libexec/wnck
500      11431  0.0  1.3 20316 7152 ?        S    Dec17   0:00 /usr/libexec/noti
500      11478  0.0  3.0 40392 15648 ?       Sl   Dec17   0:04 gnome-terminal
500      11479  0.0  0.1  2984  624 ?        S    Dec17   0:00 gnome-pty-helper
500      11480  0.0  0.2  5996 1468 pts/58   Ss   Dec17   0:00 bash
root     11496  0.0  0.2  4604 1108 pts/58   S    Dec17   0:00 su
root     11499  0.0  0.2  5236 1432 pts/58   S    Dec17   0:00 bash
root     11537  2.1  3.8 31964 20008 pts/58  S+   Dec17  14:43 gnome-system-moni
root     11539  0.0  0.4  6648 2252 pts/58   S+   Dec17   0:00 /usr/libexec/gcon
500      11541  0.0  3.3 82544 17552 ?       Sl   Dec17   0:03 rhythmbox
500      11568  0.1  4.3 69228 22404 ?       Sl   00:25   0:39 gaim
500      11574  0.0  0.9 56664 4924 ?        Sl   00:25   0:00 /usr/libexec/evol
500      12245  0.0  0.2  5004 1448 pts/59   Ss   11:05   0:00 bash
root     12260  0.0  0.2  5184 1108 pts/59   S    11:05   0:00 su
root     12263  0.0  0.2  5076 1432 pts/59   S+   11:05   0:00 bash
500      13253  0.0  0.2  6248 1448 pts/62   Ss   11:10   0:00 bash
500      13268  0.0  0.1  3240  784 pts/62   R+   11:10   0:00 ps -aux

Last edited by xconspirisist; 12-18-2004 at 06:17 AM.
 
Old 12-18-2004, 06:17 AM   #5
xconspirisist
Member
 
Registered: Dec 2002
Location: United Kingdom
Distribution: Ubuntu
Posts: 276

Original Poster
Rep: Reputation: 30
On second opinion, all those blank processes appear to be things like 'kjournald' -- is this part of kde? I'm running gnome atm...
 
Old 12-18-2004, 04:05 PM   #6
xconspirisist
Member
 
Registered: Dec 2002
Location: United Kingdom
Distribution: Ubuntu
Posts: 276

Original Poster
Rep: Reputation: 30
* el bumpo *
 
Old 12-18-2004, 09:23 PM   #7
Sepero
Member
 
Registered: Jul 2004
Location: Tampa, Florida, USA
Distribution: Ubuntu
Posts: 734
Blog Entries: 1

Rep: Reputation: 31
Ok, first off the webpage gives me this:
"Not Found
The requested URL /img/noprocess.png was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. "

Secondly, are you user "500"? There appears to be a lot of stuff running, but it all has a name. Are you intentionally running "snort"? It is for sniffing packets on a network. There's a few other programs I don't recognize(and am Very suspicious of):
rpc.statd
nifd -n
mDNSResponder
p0f -d -o /var/lo #something that tampers with log files?
hald
login -- xconspir


I'm have no idea if you have a trojan or not, but in my "unexperienced" opinion, it appears so.

Last edited by Sepero; 12-18-2004 at 09:24 PM.
 
Old 12-18-2004, 09:45 PM   #8
rshaw
Senior Member
 
Registered: Apr 2001
Location: Perry, Iowa
Distribution: Mepis , Debian
Posts: 2,692

Rep: Reputation: 45
better in security me thinks. moving
 
Old 12-19-2004, 12:02 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
rpc.statd
Belongs to rpc/portmap/nfs. Provides shutdown/reboot notification for RPC (see it's manpage for more info). You should shutoff portmap and nfs if you are not using them.

nifd -n
network interface daemon (see it's man page)

mDNSResponder
multicast Doman Name Service Responder

p0f -d -o /var/lo #something that tampers with log files?
p0f is a passive OS fingerprinter

hald
Hardware Abstraction Layer daemon, a hardware management daemon that utilizes dbus

login -- xconspir
A login session

In general, there doesn't seem to be anything malicious as long as snort and p0f can be accounted for. Though it's probably a wise move to turn off some of the extra daemons and services. If you are still paranoid, take a look at chkrootkit, samhain, or rootkit hunter.

Out of an unrelated curiousity, what distro/version was the process list from (has to do with the presence of the login process).
 
Old 12-19-2004, 12:43 AM   #10
Sepero
Member
 
Registered: Jul 2004
Location: Tampa, Florida, USA
Distribution: Ubuntu
Posts: 734
Blog Entries: 1

Rep: Reputation: 31
login -- xconspir

Looks like xconspiracy. I dunno.
 
Old 12-19-2004, 01:10 AM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by Sepero
login -- xconspir

Looks like xconspiracy. I dunno.
Yeah, probably would be disconcerting if his LQ username wasn't "xconspirisist"
 
Old 12-19-2004, 12:17 PM   #12
Sepero
Member
 
Registered: Jul 2004
Location: Tampa, Florida, USA
Distribution: Ubuntu
Posts: 734
Blog Entries: 1

Rep: Reputation: 31
Quote:
Originally posted by Capt_Caveman
Yeah, probably would be disconcerting if his LQ username wasn't "xconspirisist"
Aww crap! I never made that connection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 03:35 PM
trend chipway virus detected boot virus rafc Linux - Security 1 05-13-2004 02:44 AM
linux kernal configurator tool points to /usr/src/linux-2.4/arch//config.in (BUG?) Stubzyboy Linux - Newbie 3 03-11-2004 04:03 AM
RH 7.3 Server infected with Linux.Jac.8759 and Linux.RST.B virus osso09 Linux - Security 10 11-18-2003 12:37 AM
Linux on Odd Hardware richdave Linux - General 3 11-12-2002 12:33 PM


All times are GMT -5. The time now is 04:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration