LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva
User Name
Password
Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 08-01-2012, 05:33 PM   #1
irajjs
Member
 
Registered: Jan 2010
Location: Iran
Distribution: Mandriva 2012
Posts: 157
Blog Entries: 1

Rep: Reputation: 15
Exclamation what is the process named unknown process belonging to root?


Hi
There is a process named as "unknown process" which is changing it's ID in every second and has no window or ....just belongs to root!
I am thinking to some processes which i previously mentioned in a separate thread as "child not found" at that time it was not detected by "system monitor" but now after installing Mandriva2012 it is shown there...
It is not using CPU or memory as it shows....
I also have tried to make an executable script and copied that in /bin and some other places... could it be the result of that? or what?
Should i be concerned about that? Please help!

Last edited by irajjs; 08-01-2012 at 05:42 PM.
 
Old 08-02-2012, 07:40 PM   #2
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, Mint
Posts: 6,903

Rep: Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284
Could you post the relevant output from ps -A, making sure to enclose them in "code" tags, which become available when you click "Go Advanced" down there at the bottom of the Quick Reply window?

Also, does this process appear in the output of a top command?

That information may give persons who look at this more to go on.
 
Old 08-04-2012, 07:02 PM   #3
irajjs
Member
 
Registered: Jan 2010
Location: Iran
Distribution: Mandriva 2012
Posts: 157
Blog Entries: 1

Original Poster
Rep: Reputation: 15
Post output and more...

Quote:
Originally Posted by frankbell View Post
Could you post the relevant output from ps -A, making sure to enclose them in "code" tags, which become available when you click "Go Advanced" down there at the bottom of the Quick Reply window?

Also, does this process appear in the output of a top command?

That information may give persons who look at this more to go on.
HI

Code:
 
[iraj@localhost /]$ ps
  PID TTY          TIME CMD
13921 pts/1    00:00:00 bash
14640 pts/1    00:00:00 ps
[iraj@localhost /]$ su
Password: 
[root@localhost /]# ps -A
  PID TTY          TIME CMD
    1 ?        00:00:02 systemd
    2 ?        00:00:00 kthreadd
    3 ?        00:00:02 ksoftirqd/0
    5 ?        00:00:00 kworker/u:0
    6 ?        00:00:00 migration/0
    7 ?        00:00:00 watchdog/0
    8 ?        00:00:00 cpuset
    9 ?        00:00:00 khelper
   10 ?        00:00:00 kdevtmpfs
   11 ?        00:00:00 netns
   12 ?        00:00:00 sync_supers
   13 ?        00:00:00 bdi-default
   14 ?        00:00:00 kintegrityd
   15 ?        00:00:00 kblockd
   16 ?        00:00:00 md
   18 ?        00:00:00 khungtaskd
   19 ?        00:00:03 kswapd0
   20 ?        00:00:00 ksmd
   21 ?        00:00:02 khugepaged
   22 ?        00:00:00 fsnotify_mark
   23 ?        00:00:00 crypto
   27 ?        00:00:00 kthrotld
   28 ?        00:00:00 kworker/u:1
   29 ?        00:00:00 kpsmoused
   31 ?        00:00:00 deferwq
  140 ?        00:00:00 khubd
  141 ?        00:00:00 firewire
  142 ?        00:00:00 ata_sff
  143 ?        00:00:00 scsi_eh_0
  144 ?        00:00:06 scsi_eh_1
  203 ?        00:00:02 jbd2/sda1-8
  204 ?        00:00:00 ext4-dio-unwrit
  230 ?        00:00:00 udevd
  236 ?        00:00:04 systemd-journal
  237 ?        00:00:00 kauditd
  261 ?        00:00:01 flush-8:0
  436 ?        00:00:04 ksysguardd
  656 ?        00:00:00 kio_desktop
  666 ?        00:00:00 kio_file
  669 ?        00:00:00 hci0
  692 ?        00:00:00 kio_desktop
  703 ?        00:00:00 kio_file
  794 ?        00:01:55 smplayer
  880 ?        00:00:00 ttm_swap
 1089 ?        00:00:02 ifplugd
 1099 ?        00:00:09 mount.ntfs-3g
 1132 ?        00:00:02 jbd2/sda6-8
 1133 ?        00:00:00 ext4-dio-unwrit
 1162 ?        00:00:00 pickup
 1320 ?        00:00:00 bluetoothd
 1324 ?        00:00:00 atd
 1335 ?        00:00:00 abrtd
 1336 ?        00:00:00 crond
 1337 ?        00:00:00 systemd-logind
 1340 ?        00:00:00 acpid
 1346 ?        00:00:25 dbus-daemon
 1349 ?        00:00:01 rsyslogd
 1420 ?        00:00:00 krfcommd
 1467 ?        00:00:08 hald
 1469 ?        00:00:00 console-kit-dae
 1548 ?        00:00:02 polkitd
 1573 ?        00:00:00 mdadm
 1597 ?        00:00:00 hald-runner
 1708 ?        00:00:02 NetworkManager
 1763 ?        00:00:00 hald-addon-inpu
 1764 ?        00:00:00 hald-addon-rfki
 1803 ?        00:00:01 hald-addon-stor
 1808 ?        00:00:00 hald-addon-acpi
 1824 ?        00:00:07 hald-addon-stor
 2965 tty5     00:00:00 agetty
 2966 tty6     00:00:00 agetty
 2967 tty1     00:00:00 agetty
 2968 tty4     00:00:00 agetty
 2969 tty3     00:00:00 agetty
 2970 tty2     00:00:00 agetty
 3073 ?        00:00:00 slapd
 3075 ?        00:00:38 snmpd
 3096 ?        00:00:00 kdm
 3110 tty7     00:18:04 X
 3143 ?        00:00:19 preload
 3196 ?        00:00:28 mysqld
 3208 ?        00:00:00 kdm
 3467 ?        00:00:05 modem-manager
 3702 ?        00:00:00 xinetd
 3749 ?        00:00:00 hddtemp
 3782 ?        00:00:00 automount
 3836 ?        00:00:01 proftpd
 3873 ?        00:00:00 master
 4505 ?        00:00:00 startkde
 4563 ?        00:00:00 dbus-launch
 4564 ?        00:00:08 dbus-daemon
 4583 ?        00:00:00 s2u
 4802 ?        00:00:00 start_kdeinit
 4803 ?        00:00:01 kdeinit4
 4804 ?        00:00:00 klauncher
 4806 ?        00:00:37 kded4
 4812 ?        00:00:01 kglobalaccel
 4816 ?        00:00:01 kactivitymanage
 4819 ?        00:00:05 udisks-daemon
 4820 ?        00:00:00 udisks-daemon
 4825 ?        00:00:00 kwrapper4
 4826 ?        00:00:01 ksmserver
 4828 ?        00:00:21 kwin
 4834 ?        00:00:00 knotify4
 4837 ?        00:04:01 plasma-desktop
 4845 ?        00:00:00 kuiserver
 4931 ?        00:00:01 akonadi_control
 4933 ?        00:00:01 akonadiserver
 4935 ?        00:01:50 rosa-launcher
 4937 ?        00:00:27 mysqld
 4966 ?        00:00:03 kaccess
 4982 ?        00:00:00 akonadi_agent_l
 4983 ?        00:00:00 akonadi_birthda
 4984 ?        00:00:00 akonadi_agent_l
 4985 ?        00:00:00 akonadi_agent_l
 4986 ?        00:00:00 akonadi_agent_l
 4987 ?        00:00:00 akonadi_agent_l
 4988 ?        00:00:00 akonadi_maildis
 4989 ?        00:00:00 akonadi_nepomuk
 4995 ?        00:04:22 pulseaudio
 4996 ?        00:00:22 krunner
 4997 ?        00:00:00 rtkit-daemon
 5006 ?        00:00:00 gconf-helper
 5008 ?        00:00:00 gconfd-2
 5044 ?        00:00:02 kwrite
 5052 ?        00:00:02 kmix
 5068 ?        00:00:00 pam-panel-icon
 5069 ?        00:00:00 volumeicon
 5072 ?        00:40:35 sh
 5077 ?        00:00:00 pam_timestamp_c
 5108 ?        00:00:01 korgac
 5110 ?        00:00:00 sh
 5112 ?        00:00:01 python
 5115 ?        00:06:08 draksnapshot-ap
 5118 ?        00:00:00 psyncnotify
 5124 ?        00:00:01 polkit-kde-auth
 5136 ?        00:00:01 klipper
 5138 ?        00:00:00 xsettings-kde
 9063 ?        00:00:00 gvfsd
 9071 ?        00:00:00 gvfs-fuse-daemo
11143 ?        00:00:04 dolphin
11382 ?        00:00:00 kio_trash
11385 ?        00:00:00 kio_file
11404 ?        00:00:00 kio_file
13751 ?        00:00:00 konsole
13921 pts/1    00:00:00 bash
21070 ?        00:00:00 kworker/0:0
21879 pts/1    00:00:00 su
24420 ?        00:00:00 kworker/0:1
24539 pts/1    00:00:00 bash
27174 pts/1    00:00:00 ps
30162 ?        00:00:00 qmgr
30244 ?        00:00:00 nscd
30706 ?        00:00:00 udevd
30712 ?        00:00:00 udevd
31343 ?        00:00:00 kworker/0:2
[root@localhost /]#
I did not see this process in top command may be because processes continuously change position there!
I also attach some screenshots about this now ....there were more attachments ...but maximum allowed was 3
Attached Images
File Type: png unknownprocess.png (107.8 KB, 4 views)
File Type: png unknownprocess2.png (118.7 KB, 4 views)
File Type: png unknownprocess4.png (116.0 KB, 4 views)

Last edited by unSpawn; 08-10-2012 at 08:17 PM. Reason: //Replace BB email with code tag
 
Old 08-04-2012, 07:14 PM   #4
irajjs
Member
 
Registered: Jan 2010
Location: Iran
Distribution: Mandriva 2012
Posts: 157
Blog Entries: 1

Original Poster
Rep: Reputation: 15
Lightbulb CPU usage is shown 100 percent!

I forgot to mention this:
CPU usage is shown 100 percent in system monitor but although the system is not as fast as before ,there is no difficulty in working
also i do not know why this is 100 percent because the sum of working process's CPU usage is much much less than 100

Last edited by irajjs; 08-04-2012 at 07:16 PM. Reason: correcting a word's spell
 
Old 08-04-2012, 08:35 PM   #5
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, Mint
Posts: 6,903

Rep: Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284
I'm puzzled.

I do not see an "unknown" process in that list.

I did not look up each one individually, but, at first glance, they all look legit.

If you see a process name you do not recognize, your best bet is to google it. You could also try "man [process name]" to see if there is a man file for that command. For some of them, you might need to run "apropos [process name]" to determine whether and where a man file exists.
 
Old 08-05-2012, 05:27 PM   #6
kakaka
Member
 
Registered: Sep 2003
Posts: 382

Rep: Reputation: 86
Hi irajjs!

I see the phrase "unknown" in the .PNG files you've posted.

If you don't see "unknown" in output from the ps command, it could be that things are changing too quickly in the system, to catch a process with that name.

Or, it may be that "unknown" is not literally the process name, but instead an interpretation of the data by the utility that you're using to display System Activity.

If you can find a man or info page for the utility, it might describe the utility's output enough to mention whether or not the utility will sometimes label something as "unknown".

If you cannot find such a page, perhaps you can track down the program for the utility, then you might be able to determine whether or not the utility contains the phrase "unknown". This approach isn't necessarily definite, because if the utility is pulling in other code, such as from a library, "unknown" might be supplied by a library routine. But if the utility's program contains "unknown" then it might well be just labeling something as "unknown".

In the environment I'm using, if I wanted to find out if ps contains "unknown", I could do something like this. Find the ps program with these commands:

Code:
which ps ;  whereis ps
which for me gives this output:

Code:
/bin/ps
ps: /bin/ps /usr/share/man/man1p/ps.1p.gz
Then to find out what type of program it is, a binary executable, or a shell script, etc., run this command:

Code:
file /bin/ps
in my situation, the output is:

Code:
/bin/ps: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.4, stripped
so it's a binary. If it was a shell script, fgrep could be used directly on it. Since ps is a binary, to look for "unknown" in ps these commands can be used:

Code:
strings -a /bin/ps | fgrep -i unknown | less
which produces this output:

Code:
unknown
Environment specified an unknown personality.
Unknown page size! (assume 4096)
Unknown gnu long option.
Unknown AIX field descriptor.
Unknown sort specifier.
Unknown user-defined format specifier "%s".
Unknown HZ value! (%d) Assume %Ld.
So it looks as if the ps command itself, can label things as "unknown", in one way or another.

If nothing else, you could try a loop in a bash shell to try to catch "unknown" in the ps output, just in case the process name actually does contain "unknown", or ps describes something about the process as "unknown":

Code:
for loop_count in {1..120..1}
do
  ps gaxu | egrep -i '(%CPU)|(unknown)'
  echo ''
  sleep 1
done
Hope this helps.
 
1 members found this post helpful.
Old 08-05-2012, 07:16 PM   #7
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, Mint
Posts: 6,903

Rep: Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284Reputation: 1284
Nice catch, kakaka!

I must confess that I did not have the energy to look at all the image attachments last night.

I'm inclined to think that the "unknown" has something to do with how the process list is rendered to the screen in the GUI interface and not with any process that is actually taking place in the processor, as it is rendered in the window frame and not in the process list.
 
Old 08-06-2012, 05:50 PM   #8
irajjs
Member
 
Registered: Jan 2010
Location: Iran
Distribution: Mandriva 2012
Posts: 157
Blog Entries: 1

Original Poster
Rep: Reputation: 15
unknown process duplicated !

Hi
Thank you for your attention (both of you frakbell and kakaka)
Today i noticed that the unknown process was duplicated for some hours but after shutting down the system one of them was disappeared in the next system run.
i want to remind something which i mentioned in my first post:
The unknown process changes it's ID in each second so obviously it is not easily studied
I think that most possibly it is my own script which i have marked that as executable! and if so then it is ideal!
My system is in it's best ever state now but i just want to make sure that it is not a destroyer virus!
later i am going to run the codes that you offered
right now i am busy with some other problems like "webcam" and "speech" and i am working hard (time is 3.15 am now!)
i will post any new findings about this later
Regards
 
Old 08-10-2012, 07:45 PM   #9
irajjs
Member
 
Registered: Jan 2010
Location: Iran
Distribution: Mandriva 2012
Posts: 157
Blog Entries: 1

Original Poster
Rep: Reputation: 15
I entered all codes but the last one!

Quote:
Originally Posted by kakaka View Post
Hi irajjs!

I see the phrase "unknown" in the .PNG files you've posted.

If you don't see "unknown" in output from the ps command, it could be that things are changing too quickly in the system, to catch a process with that name.

Or, it may be that "unknown" is not literally the process name, but instead an interpretation of the data by the utility that you're using to display System Activity.

If you can find a man or info page for the utility, it might describe the utility's output enough to mention whether or not the utility will sometimes label something as "unknown".

If you cannot find such a page, perhaps you can track down the program for the utility, then you might be able to determine whether or not the utility contains the phrase "unknown". This approach isn't necessarily definite, because if the utility is pulling in other code, such as from a library, "unknown" might be supplied by a library routine. But if the utility's program contains "unknown" then it might well be just labeling something as "unknown".

In the environment I'm using, if I wanted to find out if ps contains "unknown", I could do something like this. Find the ps program with these commands:

Code:
which ps ;  whereis ps
which for me gives this output:

Code:
/bin/ps
ps: /bin/ps /usr/share/man/man1p/ps.1p.gz
Then to find out what type of program it is, a binary executable, or a shell script, etc., run this command:

Code:
file /bin/ps
in my situation, the output is:

Code:
/bin/ps: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.4, stripped
so it's a binary. If it was a shell script, fgrep could be used directly on it. Since ps is a binary, to look for "unknown" in ps these commands can be used:

Code:
strings -a /bin/ps | fgrep -i unknown | less
which produces this output:

Code:
unknown
Environment specified an unknown personality.
Unknown page size! (assume 4096)
Unknown gnu long option.
Unknown AIX field descriptor.
Unknown sort specifier.
Unknown user-defined format specifier "%s".
Unknown HZ value! (%d) Assume %Ld.
So it looks as if the ps command itself, can label things as "unknown", in one way or another.

If nothing else, you could try a loop in a bash shell to try to catch "unknown" in the ps output, just in case the process name actually does contain "unknown", or ps describes something about the process as "unknown":

Code:
for loop_count in {1..120..1}
do
  ps gaxu | egrep -i '(%CPU)|(unknown)'
  echo ''
  sleep 1
done
Hope this helps.
Hi
I entered all codes but the last one! because i guess it might cause unknown process sleep and at this time i do not want to make it sleep because as i said it might be my own script which is OK and has no harm on the computer.
The output was nearly the same as in your PC.
Thanks
 
Old 08-11-2012, 01:01 PM   #10
kakaka
Member
 
Registered: Sep 2003
Posts: 382

Rep: Reputation: 86
Even though it's probably fair to say that Linux systems tend not to be targeted by virus creators as much as MS-Windows systems, if I had even the slightest suspicion that my Linux system might have a virus, I would make finding out a very high priority! The idea that the system currently seems to be running OK, doesn't mean the program is not a virus. Virus programs can be sneaky. A virus could be trying to use your system to infect other systems, before damaging your system, or something else equally bad.

If I thought an "unknown process" might be a program I wrote, I wouldn't try to find out indirectly, by monitoring it. I would simply disable the program, temporarily, and if need be, reboot the system. irajjs, is this program you wrote supposed to re-run itself, or is it run again and again by cron?

irajjs, did you mean that you didn't run this code:

Code:
for loop_count in {1..120..1}
do
  ps gaxu | egrep -i '(%CPU)|(unknown)'
  echo ''
  sleep 1
done
because you thought it might cause the unknown process to sleep? If so, then running the command:

man sleep

would show you what that form of the sleep command does. It doesn't cause other process to sleep. It's just supposed to cause a delay of 1 second in the program from which it is run. I included so that there would be a delay between runs of the ps command in the shell loop, within the code I provided.
 
1 members found this post helpful.
Old 08-21-2012, 07:20 AM   #11
irajjs
Member
 
Registered: Jan 2010
Location: Iran
Distribution: Mandriva 2012
Posts: 157
Blog Entries: 1

Original Poster
Rep: Reputation: 15
Thumbs up My own script

Quote:
Originally Posted by kakaka View Post
Even though it's probably fair to say that Linux systems tend not to be targeted by virus creators as much as MS-Windows systems, if I had even the slightest suspicion that my Linux system might have a virus, I would make finding out a very high priority! The idea that the system currently seems to be running OK, doesn't mean the program is not a virus. Virus programs can be sneaky. A virus could be trying to use your system to infect other systems, before damaging your system, or something else equally bad.

If I thought an "unknown process" might be a program I wrote, I wouldn't try to find out indirectly, by monitoring it. I would simply disable the program, temporarily, and if need be, reboot the system. irajjs, is this program you wrote supposed to re-run itself, or is it run again and again by cron?

irajjs, did you mean that you didn't run this code:

Code:
for loop_count in {1..120..1}
do
  ps gaxu | egrep -i '(%CPU)|(unknown)'
  echo ''
  sleep 1
done
because you thought it might cause the unknown process to sleep? If so, then running the command:

man sleep

would show you what that form of the sleep command does. It doesn't cause other process to sleep. It's just supposed to cause a delay of 1 second in the program from which it is run. I included so that there would be a delay between runs of the ps command in the shell loop, within the code I provided.
Hi
Thank you for your attention and help,by the way i understood that the unknown process was my own script so there is no danger of virus or worm or spyware (in this case).
a copy of my script had changed it's name and was hidden , i also typed: man unknown and the output was helpful.
Now i think that the problem is solved but a new question is created in my mind :
How do i help my script(unknown process) to become fully active and supported and accepted by all my software ? because it contains instructions for updating and upgrading and generally better working of my computer.
Regards
 
Old 08-21-2012, 07:52 PM   #12
kakaka
Member
 
Registered: Sep 2003
Posts: 382

Rep: Reputation: 86
irajjs,

I'm rather confused about the context in which you are working and your objectives.

In message # 8 in this thread, you said:

Quote:
i just want to make sure that it is not a destroyer virus
which made the situation seem to be that you did not know what the "unknown" process was, that it could have been a virus.

Then in message # 11 you said:

Quote:
i understood that the unknown process was my own script so there is no danger of virus
Now you're asking how you get the unknown process to be fully active, supported, and accepted by all your software.

Active in what way?

Supported in what way?

Accepted in what way?

What does the script you wrote do, that it needs to be supported and accepted by other software?
 
Old 09-04-2012, 08:50 PM   #13
irajjs
Member
 
Registered: Jan 2010
Location: Iran
Distribution: Mandriva 2012
Posts: 157
Blog Entries: 1

Original Poster
Rep: Reputation: 15
Smile steps forward!

Quote:
Originally Posted by kakaka View Post
irajjs,

I'm rather confused about the context in which you are working and your objectives.

In message # 8 in this thread, you said:



which made the situation seem to be that you did not know what the "unknown" process was, that it could have been a virus.

Then in message # 11 you said:



Now you're asking how you get the unknown process to be fully active, supported, and accepted by all your software.

Active in what way?

Supported in what way?

Accepted in what way?

What does the script you wrote do, that it needs to be supported and accepted by other software?
Hi
message#11 came after message#8 and nearly a week later so there has been a progress in my understanding
I want my script to be as the main core program in my PC
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reserving physical memory for a named process??? bortbortresson Linux - Server 12 12-09-2009 03:45 AM
IPC fails between user process and root process zaryab Linux - Newbie 1 09-22-2008 01:25 AM
Identifying process at the other end of named pipe natris Programming 2 07-25-2008 08:05 AM
Process named -:0? kaelthas Linux - Security 3 05-01-2008 12:58 AM
Start a program for a user as root, with process belonging to user gnashley Programming 4 03-19-2007 01:58 PM


All times are GMT -5. The time now is 03:16 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration