Thread: Suspicious activity in Linux!

  1. #1
    Unregistered User Yarin's Avatar
    Join Date
    Jul 2007
    Posts
    2,158

    Suspicious activity in Linux!

    For the 3rd time in 2 months, this has happened...

    Two processes pop up in my process list (in System Activity, Ctrl+Esc). They have no name, or command string. Their owner is "root, -1" (no other processes running have "-1" in their user string). Their CPU usage is reported as "unknown". I can't kill them, because they are constantly going away, and popping back up (which effectively revives them, and changes their PID). In the coming up/going away shuffle, sometimes System Activity will report 3 process being there (but it's almost always 2).

    I have a dual core, so when a program maxes out the CPU, it'll only use one core, which is nice when things misbehave. But my CPU usage widgets are showing that these processes are consistently using about 3/4 of both cores at the same time. (Makes sense, right? 2 processes, 2 cores)

    This goes on for about 5 minutes then stops. And there seems to be no apparent reason why this happens, I can't think of anything that I do that might trigger it. The first time it happened was not to soon after I installed my OS, so the first time could've been triggered by that (if it's nice), or by the installation of a bad package (if it's not nice).

    This is so un-Linux-like, which makes me that much more uneasy about it.
    Anyone have any idea what could be going on? Or how to get more information about how certain processes came about?

    Thanks,
    Yarin

  2. #2
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    If the processes stick around long enough, try the following:

    Code:
    cat /proc/XXX/maps
    Where XXX is the PID of one of the processes. The actual binary file which is running should show up in the list somewhere. (This is a general way to determine what a program is, if it has changed its argument list to try to hide itself)
    Code:
    //try
    //{
    	if (a) do { f( b); } while(1);
    	else   do { f(!b); } while(1);
    //}

  3. #3
    Malum in se abachler's Avatar
    Join Date
    Apr 2007
    Posts
    3,195
    Yup, Linux is no more impervious to virii than windows, just that most virus writers target windows. Same goes for Mac-OS.

  4. #4
    Unregistered User Yarin's Avatar
    Join Date
    Jul 2007
    Posts
    2,158
    Correct me if I'm wrong, but couldn't the process change it's proc files, thus making that useless? (being that it's running in root) Nevertheless, I'll try it next time.

    >> Yup, Linux is no more impervious to virii than windows
    I wouldn't say that. A program run on Windows can do anything (unless you have an 'OS Firewall'), whereas a program couldn't do squat on Linux without gaining root access, which would only happen if you let it, or if you accidentally get it while in root.

    Does anyone know what the difference between "root" and "root, -1" is?

  5. #5
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Quote Originally Posted by Yarin View Post
    I wouldn't say that. A program run on Windows can do anything (unless you have an 'OS Firewall'), whereas a program couldn't do squat on Linux without gaining root access, which would only happen if you let it, or if you accidentally get it while in root.
    So you never heard of UAC, or before that Multiple User Accounts introduced in Windows NT back in 1993.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  6. #6
    Malum in se abachler's Avatar
    Join Date
    Apr 2007
    Posts
    3,195
    Quote Originally Posted by Yarin View Post
    Correct me if I'm wrong, but couldn't the process change it's proc files, thus making that useless? (being that it's running in root) Nevertheless, I'll try it next time.

    >> Yup, Linux is no more impervious to virii than windows
    I wouldn't say that. A program run on Windows can do anything (unless you have an 'OS Firewall'), whereas a program couldn't do squat on Linux without gaining root access, which would only happen if you let it, or if you accidentally get it while in root.

    Does anyone know what the difference between "root" and "root, -1" is?
    An application running on windows cannot do 'anything it want's', unless it is running with root privileges, Which on windows is called running with admin privileges, which 99% of people do. If you run linux under admin all the time then anything you run on your system can wreak just as much havoc.

    Gun's don't kill people, I do.

    Windows isn't any more vulnerable than linux, Windows Users just don't take advantage of its security features.

  7. #7
    ... kermit's Avatar
    Join Date
    Jan 2003
    Posts
    1,534
    Next time it runs, see if you can tell what it is connected to with a pstree -ap. Other than that, have you tried chkrootkit and rkhunter?

  8. #8
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    Quote Originally Posted by Yarin View Post
    Correct me if I'm wrong, but couldn't the process change it's proc files, thus making that useless? (being that it's running in root) Nevertheless, I'll try it next time.
    It could only alter the contents of /proc if it installed some kind of kernel module. That's certainly not impossible, but it would mean that you have a fairly sophisticated rootkit installed on your machine.
    Code:
    //try
    //{
    	if (a) do { f( b); } while(1);
    	else   do { f(!b); } while(1);
    //}

  9. #9
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    Another thing to try would be to pull the network for a few hours and see if the behavior changes.
    Code:
    //try
    //{
    	if (a) do { f( b); } while(1);
    	else   do { f(!b); } while(1);
    //}

  10. #10
    {Jaxom,Imriel,Liam}'s Dad Kennedy's Avatar
    Join Date
    Aug 2006
    Location
    Alabama
    Posts
    1,065
    Quote Originally Posted by Yarin View Post
    "root" and "root, -1" is?
    That completely depends on your options to procps.

    The doesn't have a name thing, however, could be a kernel thread without a name (though, I think that may still show up a s [] in stead of nothing).

  11. #11
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Quote Originally Posted by Yarin View Post
    Does anyone know what the difference between "root" and "root, -1" is?
    I would assume the gid, altho I did not know -1 was valid for that. If you do not have a -1 in /etc/group, try creating one and see if it works. If it does, you might be able to do something to limit that group.

    I did google "linux gid -1" but nothing.
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  12. #12
    Unregistered User Yarin's Avatar
    Join Date
    Jul 2007
    Posts
    2,158
    Quote Originally Posted by Mario F. View Post
    So you never heard of UAC, or before that Multiple User Accounts introduced in Windows NT back in 1993.
    I've heard. But I've never seem UAC in action on Windows before, programs just whine about lack of permission - you'd have to "Run as User", or something. If users running admin accounts when they shouldn't was the only reason for Windows problems, then why all the vulnerability patches?

    Quote Originally Posted by kermit View Post
    Next time it runs, see if you can tell what it is connected to with a pstree -ap. Other than that, have you tried chkrootkit and rkhunter?
    That also sounds good.
    I've run rkhunter, it didn't find anything. I haven't tried chkrootkit yet.

    Quote Originally Posted by brewbuck View Post
    Another thing to try would be to pull the network for a few hours and see if the behavior changes.
    I'm on dial-up, so the network is already 'pulled' most of the time. Twice it happened when I was off-line, and once when I was on. And when I was on, it wasn't communicating.

    Quote Originally Posted by MK27 View Post
    I would assume the gid, altho I did not know -1 was valid for that. If you do not have a -1 in /etc/group, try creating one and see if it works. If it does, you might be able to do something to limit that group.

    I did google "linux gid -1" but nothing.
    Can't find any group named -1. Trying to create it using a system front-end, says it's not a valid name. I thought of manually adding it to the file, but I dunno what that could mess up.
    Yeah, I googled for it already, but google doesn't interpret -1 the way we're wanting it to.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Thinking of upgrading to linux...
    By Yarin in forum General Discussions
    Replies: 37
    Last Post: 07-24-2009, 11:40 AM
  2. Wireless Network Linux & C Testbed
    By james457 in forum Networking/Device Communication
    Replies: 3
    Last Post: 06-11-2009, 11:03 AM
  3. Dabbling with Linux.
    By Hunter2 in forum Tech Board
    Replies: 21
    Last Post: 04-21-2005, 04:17 PM
  4. installing linux for the first time
    By Micko in forum Tech Board
    Replies: 9
    Last Post: 12-06-2004, 05:15 AM