Strange process found (Bluetooth kernel module, s2u)
Had a look processes of my computer with ps ax
and found a bluetooth process even I don't have bluetooth ! That process had high priority and I was not able to kill anyhow ! Had to reboot to get rid of it . 7165 ? S< 0:00 [bluetooth] 8712 ? Ss 0:00 /usr/sbin/mandi -d 12811 ? Sl 0:05 kdeinit4: konsole [kdeinit] My question: what or who can started that process ? Had a chkrootkit, nothing found. Hmmm. |
That is a normal process. It was started when you booted up. I'm not positive how this works in Mandriva, but you should be able to go to /etc/rc.d and remove the x permissions of the bluetooth init script to get it to stop loading on boot.
Code:
# chmod -x /etc/rc.d/bluetooth Luck! ~Eric |
Thanks Eric,
but why was this process just appearing once ? There had been no changes at configuration, no new programs installed or installed programs removed. What makes me concerned, that process never happened before or afterwards, booted several times in the meantime and that process never appeared again! So, my question refined: Is there any way to figure out what minstrel has started that process ? An accidentally pressed button at my computer ? Can this process started external from another machine ? thanks robeich |
Had look at /etc/rc.d there is no bluetooth, hmmm
|
Hi robeich...
Bluetooth is a proprietary open wireless technology standard. It's include in most Linux distributions and usually starts automatically. The operating system assumes you have/use Bluetooth devices. It's been a long time since I ran Mandriva on any of my systems, so I can't remember how their daemons are started at boot. The Bluetooth daemon that you see starting on your system is harmless. However, there definitely is a way to prevent it from starting. I just don't know for sure how to do it. You could try this --> http://wiki.mandriva.com/fr/Service <-- that is the drakxservices doc page at the Mandriva wiki. Unfortunately, it's only in French. You can see from the picture, though, that you can disable and enable services using the drakxservices tool. Give that a shot. Be careful what you turn off. You may need some of that stuff for your system to work properly. As far as the bluetooth goes, though, if you're not running any Bluetooth devices, you can probably safely disable that one. Luck! ~Eric |
Quote:
In this case the square brackets around the "bluetooth" string should denote this as a kernel thread but only if its parent PID is equal to the PID of the "kthread" kernel process. When I run internal or external Bluetooth devices and bluetooth services on two separate machines with different 2.6 kernels I don't see any "[bluetooth]" thread BTW. |
Well, you definitely seem more knowledgeable on this subject than I am. Thanks for stepping in with clarification. If you can help the original poster, please do. I'll step aside.
Regards, ~Eric |
Quote:
|
I checked /var/log/messages and /var/log/security.log .
Ichecked again and found this : pr 8 10:59:38 hpsmall ifplugd(eth0)[1388]: Link beat lost. Apr 8 10:59:38 hpsmall klogd: tg3: eth0: Link is up at 100 Mbps, full duplex. Apr 8 10:59:38 hpsmall klogd: tg3: eth0: Flow control is on for TX and on for RX. Apr 8 10:59:39 hpsmall ifplugd(eth0)[1388]: Link beat detected. Apr 8 10:59:57 hpsmall klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=47 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3072 DPT=514 LEN=27 Apr 8 10:59:57 hpsmall klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=1 DF PROTO=UDP SPT=3072 DPT=514 LEN=57 Apr 8 10:59:58 hpsmall net_applet[5014]: running: /usr/sbin/drakids Apr 8 10:59:58 hpsmall drakids[8886]: ### Program is starting ### Apr 8 11:00:01 hpsmall CROND[8892]: (root) CMD ( /usr/share/msec/promisc_check.sh) Apr 8 11:00:01 hpsmall msec: Security warning : eth0 is in promiscuous mode. Apr 8 11:00:01 hpsmall msec: A sniffer is probably running on your system. Apr 8 11:00:01 hpsmall msec: Security warning : eth0 is in promiscuous mode. Apr 8 11:00:01 hpsmall msec: A sniffer is probably running on your system. The computer is a hp thin client hpt5730 and I just had a look onto hardware manual and there is no bluetooth mentioned. As well I have to say again there is no bluetooth device connected at this computer. And had a look to Software management at Control Center and realized I did not have installed any bluetooth software ! What to hell is going on at my machine, how did they come through the first firewall of my netgear MBR624GU. hmmm thanks robeich |
Just realized that I'm using tcpdump that's probably my sniffer !
As well I found this in /var/log/messages: Apr 8 10:39:54 hpsmall klogd: Bluetooth: Core ver 2.15 Apr 8 10:39:54 hpsmall klogd: NET: Registered protocol family 31 Apr 8 10:39:54 hpsmall klogd: Bluetooth: HCI device and connection manager initialized Apr 8 10:39:54 hpsmall klogd: Bluetooth: HCI socket layer initialized Apr 8 10:39:54 hpsmall klogd: device eth0 entered promiscuous mode Apr 8 10:39:54 hpsmall klogd: device eth0 left promiscuous mode Now I'm totally confused, is there a bluetooth at my hp thin client without the knowledge of anybody or ????? now I feel a little bit dizzy robeich |
Running 'lspci; lsusb' should show.
|
thanks unSpawn here is the result :
00:00.0 Host bridge: ATI Technologies Inc RS690 Host Bridge 00:01.0 PCI bridge: ATI Technologies Inc RS690 PCI to PCI Bridge (Internal gfx) 00:04.0 PCI bridge: ATI Technologies Inc Device 7914 00:13.0 USB Controller: ATI Technologies Inc SB600 USB (OHCI0) 00:13.1 USB Controller: ATI Technologies Inc SB600 USB (OHCI1) 00:13.2 USB Controller: ATI Technologies Inc SB600 USB (OHCI2) 00:13.3 USB Controller: ATI Technologies Inc SB600 USB (OHCI3) 00:13.4 USB Controller: ATI Technologies Inc SB600 USB (OHCI4) 00:13.5 USB Controller: ATI Technologies Inc SB600 USB Controller (EHCI) 00:14.0 SMBus: ATI Technologies Inc SBx00 SMBus Controller (rev 14) 00:14.1 IDE interface: ATI Technologies Inc SB600 IDE 00:14.2 Audio device: ATI Technologies Inc SBx00 Azalia (Intel HDA) 00:14.3 ISA bridge: ATI Technologies Inc SB600 PCI to LPC Bridge 00:14.4 PCI bridge: ATI Technologies Inc SBx00 PCI to PCI Bridge 00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration 00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map 00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller 00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control 01:05.0 VGA compatible controller: ATI Technologies Inc RS690M [Radeon X1200 Series] 02:00.0 Ethernet controller: Broadcom Corporation NetLink BCM5787M Gigabit Ethernet PCI Express (rev 02) Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 0d49:7310 Maxtor Bus 001 Device 003: ID 04fc:0c25 Sunplus Technology Co., Ltd SATALink SPIF225A Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub It seems no bluetooth hmmm robeich |
Now it's getting HOT
That bluetooth process appeared again: 9748 ? S 0:00 kdeinit4: kio_file [kdeinit] file local:/home/rob/tmp/ksocket-rob/klauncherMT3116.slave-socket local:/home/rob/tmp/ksocket-rob/dolphinLf3749.slave-socket 14321 ? S< 0:00 [bluetooth] 14607 ? Sl 0:01 kdeinit4: konsole [kdeinit] 14610 pts/2 Ss 0:00 /bin/bash 14638 pts/2 S 0:00 su 14671 pts/2 S 0:00 bash 14980 ? S 0:00 kdeinit4: kio_thumbnail [kdeinit] thumbnail local:/home/rob/tmp/ksocket-rob/klauncherMT3116.slave-socket local:/home/rob/tmp/ksocket-rob/dolphinzY3749.slave-socke 15143 pts/2 R+ 0:00 ps ax and now the HIT: a red box with white letters right in top of date and time appeared for about 2 seconds told me:leave or restart computer and I got another new strange process: 2023 ? Ss 0:00 s2u --daemon=yes uiuiui robeich |
What do those processes /proc directories look like?
cwd = current working directory of the process exe = copy of the executable fd = open file descriptors Or how about lsof's of the processes? nomb |
Quote:
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 12:43 PM. |