What is this process?

harken · 04-03-2005, 01:33 PM

I just ran a 'ps aux' (after a long time of ignoring it) and I noticed that among the processes there is one called "-:0" (except for the quotes). It actually looks like this:

Code:

root      3630  0.0  0.0  1576  456 tty6     Ss+  20:56   0:00 /sbin/getty 38400 tty6
root      3743  0.0  0.2  3216 1336 ?        S    20:56   0:00 -:0
harken    3829  0.0  0.2  3904 1328 ?        S    20:56   0:00 /bin/sh  usr/bin/x-session-manager

As I said, I ignored (I know, shame on me) for a while some basic security checks, but I don't remember seeing this until now. Is it normal?
chkrootkit returns clean output, so does rkhunter except for:

Code:

 Scanning for hidden files...                               [ Warning! ]
---------------
 /dev/.udevdb
/dev/.static /etc/.pwd.lock
/etc/.java
---------------
Please inspect:  /dev/.udevdb (directory)  /dev/.static (directory)  /etc/.java (directory)

I didn't see anything special in the logs. So, should I be worried about it?

Capt_Caveman · 04-03-2005, 02:19 PM

I just ran a 'ps aux' (after a long time of ignoring it) and I noticed that among the processes there is one called "-:0" (except for the quotes) ... Is it normal?
I believe that's just the Xserver. If you were to start another instance, it would appear as :1. Anytime you need to verify of a process like that, you can look up information on the process in /proc/<PID>. In this case, just take a look at /proc/3743/cmdline

chkrootkit returns clean output, so does rkhunter except for:

Code:

Scanning for hidden files... [ Warning! ] --------------- /dev/.udevdb /dev/.static /etc/.pwd.lock /etc/.java --------------- Please inspect: /dev/.udevdb (directory) /dev/.static (directory) /etc/.java (directory)

I didn't see anything special in the logs. So, should I be worried about it?

Chkrootkit flags any hidden files or dirs that it finds outside of the home directory portions of the filesystem. So this causes alot of false positives. Those appear to be normal, but it's usually a good idea to look at the contents just to be sure.

harken · 04-04-2005, 05:22 AM

Well, 'cat /proc/3662/cmdline' (it has another PID each boot, it probably doesn't matter anyhow) returns

Code:

-:0

. Still seems strange to me.
Also, the Xserver isn't represented by

Code:

root      3623  3.7  3.6 20216 18732 ?       S    12:57   0:42 /usr/X11R6/bin/X -nolisten tcp -auth /var/run/xauth

?

Not to mention that my XP install seems to have problems as well: no matter what URL I'd type in the address bar (FF or IE, rgeardless), it only displays a page that says "MONSTER", and the page's title is "Babilon computers". Anyway, I have to google for this, I didn't have time so far to do it.

harken · 04-04-2005, 06:09 AM

An update: a 'pstree -p' tells me that the process is actually called kdm and it belongs to XFree86. It looks like this:

Code:

├─kdm(3620)─┬─XFree86(3623)
        │           └─kdm(3662)───x-session-manag(3840)+
        │                                               └─ssh-age+

'ps aux' saying

Code:

root      3662  0.0  0.2  3216 1332 ?        S    12:57   0:00 -:0

So, Capt_Caveman, it looks you were right, but I still need a confirmation that everything is alright (maybe I'm a bit paranoid though

) due to the output of 'cat /proc/NNNN/cmdline' as shown before.

And does anybody have any ideas on the other, XP problem? Google didn't reveal anything so far.

pAn1k · 04-04-2005, 07:32 PM

As for the XP problem, are you by any chance going through a proxy or something.

Capt_Caveman · 04-04-2005, 11:17 PM

Sounds completely normal. I remember thinking it was strange the first time I saw it as well. As for the XP system, could be a trojan but a malicious proxy sounds very possible too. I'd do an antivirus scan and run a spyware remover like adaware

harken · 04-05-2005, 05:23 AM

Indeed, the Win problem turned out to be a spyware (I'm not sure if it's WebHancer, New.Net or CommonName, one of them though). It affects the Windows' LSP, rendering impossible any kind of Web Connection.
Right now I'm downloading some trouble-fixer (LSPFix if anyone heard of it) and if it won't work...I have to do it manually...uninstall & reinstall Windows' Communication support and some other stuff. I mentioned this just in case someone else has the same problem.

Anyway, thanks Capt_Caveman for the tips and for making my fears go away. Also thanks to pAn1k for the spared time.