Strange process found (Bluetooth kernel module, s2u)
 

Had a look processes of my computer with ps ax
and found a bluetooth process even I don't have bluetooth !
That process had high priority and I was not able to kill anyhow !
Had to reboot to get rid of it .

7165 ? S< 0:00 [bluetooth]
8712 ? Ss 0:00 /usr/sbin/mandi -d
12811 ? Sl 0:05 kdeinit4: konsole [kdeinit]

My question: what or who can started that process ?
Had a chkrootkit, nothing found.
Hmmm.

That is a normal process. It was started when you booted up. I'm not positive how this works in Mandriva, but you should be able to go to /etc/rc.d and remove the x permissions of the bluetooth init script to get it to stop loading on boot.

Stand by for advice from someone more familiar with Mandriva who can confirm my method or give you a better one.

Luck!

~Eric

Thanks Eric,
but why was this process just appearing once ?
There had been no changes at configuration, no new programs installed
or installed programs removed.
What makes me concerned, that process never happened before or afterwards, booted
several times in the meantime and that process never appeared again!
So, my question refined:
Is there any way to figure out what minstrel has started that process ?
An accidentally pressed button at my computer ?
Can this process started external from another machine ?
thanks
robeich

Had look at /etc/rc.d there is no bluetooth, hmmm

Hi robeich...

Bluetooth is a proprietary open wireless technology standard. It's include in most Linux distributions and usually starts automatically. The operating system assumes you have/use Bluetooth devices. It's been a long time since I ran Mandriva on any of my systems, so I can't remember how their daemons are started at boot.

The Bluetooth daemon that you see starting on your system is harmless. However, there definitely is a way to prevent it from starting. I just don't know for sure how to do it. You could try this --> http://wiki.mandriva.com/fr/Service <-- that is the drakxservices doc page at the Mandriva wiki. Unfortunately, it's only in French. You can see from the picture, though, that you can disable and enable services using the drakxservices tool.

Give that a shot. Be careful what you turn off. You may need some of that stuff for your system to work properly. As far as the bluetooth goes, though, if you're not running any Bluetooth devices, you can probably safely disable that one.

Luck!

~Eric

Please keep that in mind that guessing the purpose of a process solely from an arbitrary string can be misleading as changing argv[0] is trivial. (And saying something is "harmless" may seem harmless to you but strictly speaking you have no evidence at all this is the case.)

In this case the square brackets around the "bluetooth" string should denote this as a kernel thread but only if its parent PID is equal to the PID of the "kthread" kernel process. When I run internal or external Bluetooth devices and bluetooth services on two separate machines with different 2.6 kernels I don't see any "[bluetooth]" thread BTW.

Well, you definitely seem more knowledgeable on this subject than I am. Thanks for stepping in with clarification. If you can help the original poster, please do. I'll step aside.

Regards,

~Eric

Best check your system logs up to the time you encountered the Bluetooth kernel thread in the process list. Does your machine have an internal BT device or an external one? Do you connect, or did you try to configure, any external BT devices (mouse, audio, phone, etc) or do you use Bluetooth for networking (PAN)?

I checked /var/log/messages and /var/log/security.log .
Ichecked again and found this :

pr 8 10:59:38 hpsmall ifplugd(eth0)[1388]: Link beat lost.
Apr 8 10:59:38 hpsmall klogd: tg3: eth0: Link is up at 100 Mbps, full duplex.
Apr 8 10:59:38 hpsmall klogd: tg3: eth0: Flow control is on for TX and on for RX.
Apr 8 10:59:39 hpsmall ifplugd(eth0)[1388]: Link beat detected.
Apr 8 10:59:57 hpsmall klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=47 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3072 DPT=514 LEN=27
Apr 8 10:59:57 hpsmall klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=1 DF PROTO=UDP SPT=3072 DPT=514 LEN=57
Apr 8 10:59:58 hpsmall net_applet[5014]: running: /usr/sbin/drakids
Apr 8 10:59:58 hpsmall drakids[8886]: ### Program is starting ###
Apr 8 11:00:01 hpsmall CROND[8892]: (root) CMD ( /usr/share/msec/promisc_check.sh)
Apr 8 11:00:01 hpsmall msec: Security warning : eth0 is in promiscuous mode.
Apr 8 11:00:01 hpsmall msec: A sniffer is probably running on your system.
Apr 8 11:00:01 hpsmall msec: Security warning : eth0 is in promiscuous mode.
Apr 8 11:00:01 hpsmall msec: A sniffer is probably running on your system.


The computer is a hp thin client hpt5730 and I just had a look onto hardware manual
and there is no bluetooth mentioned.
As well I have to say again there is no bluetooth device connected at this computer.
And had a look to Software management at Control Center and realized I did
not have installed any bluetooth software !

What to hell is going on at my machine, how did they come through the first firewall of my netgear MBR624GU.
hmmm
thanks
robeich

Just realized that I'm using tcpdump that's probably my sniffer !

As well I found this in /var/log/messages:

Apr 8 10:39:54 hpsmall klogd: Bluetooth: Core ver 2.15
Apr 8 10:39:54 hpsmall klogd: NET: Registered protocol family 31
Apr 8 10:39:54 hpsmall klogd: Bluetooth: HCI device and connection manager initialized
Apr 8 10:39:54 hpsmall klogd: Bluetooth: HCI socket layer initialized
Apr 8 10:39:54 hpsmall klogd: device eth0 entered promiscuous mode
Apr 8 10:39:54 hpsmall klogd: device eth0 left promiscuous mode

Now I'm totally confused, is there a bluetooth at my hp thin client without the knowledge of anybody or ?????

now I feel a little bit dizzy
robeich

Running 'lspci; lsusb' should show.

thanks unSpawn here is the result :

00:00.0 Host bridge: ATI Technologies Inc RS690 Host Bridge
00:01.0 PCI bridge: ATI Technologies Inc RS690 PCI to PCI Bridge (Internal gfx)
00:04.0 PCI bridge: ATI Technologies Inc Device 7914
00:13.0 USB Controller: ATI Technologies Inc SB600 USB (OHCI0)
00:13.1 USB Controller: ATI Technologies Inc SB600 USB (OHCI1)
00:13.2 USB Controller: ATI Technologies Inc SB600 USB (OHCI2)
00:13.3 USB Controller: ATI Technologies Inc SB600 USB (OHCI3)
00:13.4 USB Controller: ATI Technologies Inc SB600 USB (OHCI4)
00:13.5 USB Controller: ATI Technologies Inc SB600 USB Controller (EHCI)
00:14.0 SMBus: ATI Technologies Inc SBx00 SMBus Controller (rev 14)
00:14.1 IDE interface: ATI Technologies Inc SB600 IDE
00:14.2 Audio device: ATI Technologies Inc SBx00 Azalia (Intel HDA)
00:14.3 ISA bridge: ATI Technologies Inc SB600 PCI to LPC Bridge
00:14.4 PCI bridge: ATI Technologies Inc SBx00 PCI to PCI Bridge
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:05.0 VGA compatible controller: ATI Technologies Inc RS690M [Radeon X1200 Series]
02:00.0 Ethernet controller: Broadcom Corporation NetLink BCM5787M Gigabit Ethernet PCI Express (rev 02)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0d49:7310 Maxtor
Bus 001 Device 003: ID 04fc:0c25 Sunplus Technology Co., Ltd SATALink SPIF225A
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

It seems no bluetooth hmmm
robeich

Now it's getting HOT
That bluetooth process appeared again:

9748 ? S 0:00 kdeinit4: kio_file [kdeinit] file local:/home/rob/tmp/ksocket-rob/klauncherMT3116.slave-socket local:/home/rob/tmp/ksocket-rob/dolphinLf3749.slave-socket
14321 ? S< 0:00 [bluetooth]
14607 ? Sl 0:01 kdeinit4: konsole [kdeinit]
14610 pts/2 Ss 0:00 /bin/bash
14638 pts/2 S 0:00 su
14671 pts/2 S 0:00 bash
14980 ? S 0:00 kdeinit4: kio_thumbnail [kdeinit] thumbnail local:/home/rob/tmp/ksocket-rob/klauncherMT3116.slave-socket local:/home/rob/tmp/ksocket-rob/dolphinzY3749.slave-socke
15143 pts/2 R+ 0:00 ps ax

and now the HIT:
a red box with white letters right in top of date and time appeared for about 2 seconds told me:leave or restart computer

and I got another new strange process:

2023 ? Ss 0:00 s2u --daemon=yes

uiuiui
robeich

What do those processes /proc directories look like?

cwd = current working directory of the process
exe = copy of the executable
fd = open file descriptors

Or how about lsof's of the processes?

nomb

Agree.


Next time try listing processes with '/bin/ps axfwwwo pid,ppid,pgid,sid,sess,uid,cmd --sort=ppid' as that provides more info. In addition to the ls-like commands above try running 'lsmod; grep -r /etc/modprobe.conf /etc/modprobe.d -e bluetooth 2>/dev/null' as that would show if there's any BT modules are configured or getting loaded.


This might be an update process. Check your distributions (automated) update procedures.


Given a process name you might try 'which s2u; locate s2u; whatis s2u' and given its PID you might try 'lsof -Pwln [PID]' to gather nfo.