| View previous topic :: View next topic |
| Author |
Message |
Olorin
n00b
Joined: 10 Jun 2012
Posts: 6
Location: Texas
|
 Posted: Thu Jun 05, 2014 3:05 am Post subject: .exe processes without wine? |
 |
|
Recently something mixed up my default programs so that images would open in firefox (which is not my default browser) and .html and maybe some others would open in wine, which would then launch several short lived threads at a time over and over again, which would use lots of CPU time. This would only stop if you killed them all at once, which was hard to do since they changed their names and PIDs quickly. I don't know if this is malicious behavior or just a serious bug, but the solution seems simple enough: Uninstall Wine. So, I did that a few days ago. Today I logged into that machine (my desktop - I'm out of town) via SSH and noticed that SSH was being slow and unresponsive. "top" revealed that X and a kworker thread were both using around 10% of my CPU time (a slightly overclocked i7-2700k), so I killed xinit, and the cpu usage went back to normal, but ssh was still slow. At that point I noticed three ".exe" processes running despite the absence of wine: explorer.exe, services.exe, plugplay.exe. I killed them, and SSH started responding normally. Now I am very worried that something bad is happening.
Am I being paranoid? Are wine and X just buggy? Could there still be some thread that's been running since before I uninstalled wine that occasionally spawns these .exe threads? I would appreciate any thoughts on this issue. |
|
| Back to top |
|
 |
xaviermiller
Bodhisattva
Joined: 23 Jul 2004
Posts: 8723
Location: ~Brussels - Belgique
|
| Posted: Thu Jun 05, 2014 7:55 am Post subject: |
|
|
Did you rebooted your machine after uninstalling wine ?
With UNIX, you can remove all executables, but those running will continue to exist.
_________________
Kind regards,
Xavier Miller |
|
| Back to top |
|
|
i92guboj
Bodhisattva
Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)
|
| Posted: Thu Jun 05, 2014 8:36 am Post subject: |
|
|
Yes.
In any case, if you are truly worried you should give rkhunter and chkrootkit a try. |
|
| Back to top |
|
|
Olorin
n00b
Joined: 10 Jun 2012
Posts: 6
Location: Texas
|
| Posted: Thu Jun 05, 2014 9:35 am Post subject: |
|
|
| XavierMiller wrote: | Did you rebooted your machine after uninstalling wine ?
With UNIX, you can remove all executables, but those running will continue to exist. |
I didn't reboot, but I killed nearly all the threads running with my username and made sure that commands like "ps -ef | grep wine" and "ps -ef | grep exe" didn't turn up anything.
| i92guboj wrote: | Yes.
In any case, if you are truly worried you should give rkhunter and chkrootkit a try. |
I'll do that. Thanks. I appreciate the feedback. I realize that it's kind of a stupid question. I've been on edge since I noticed that multiple IP addresses had been trying to guess my ssh password for months. I wouldn't have thought anyone would bother doing something like that to a machine on a residential IP address. Then somebody got into my gmail, for which I used the same password as I used for my user on my desktop, and I've been thinking about the fact that it wouldn't necessarily be obvious if somebody had got in and gained root. I've tightened up my SSH security and changed all of my passwords, but not being able to take for granted that I'm completely in control of my machine has been making me paranoid, I guess. I'll continue to assume that the timing of the bugginess is just unfortunate, and I'll run those two programs just in case. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6209
Location: Dallas area
|
| Posted: Thu Jun 05, 2014 9:43 am Post subject: |
|
|
I think most people constantly get hits on the ssh port. I know I do.
I don't leave ssh open for the world though. I use iptables to filter it down to just the ip addresses that I might connect from.
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
i92guboj
Bodhisattva
Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)
|
| Posted: Thu Jun 05, 2014 10:02 am Post subject: |
|
|
You can't stop people (meaning "bots") hitting your ssh port if you allow login, just like you can't stop people from knocking your door; that is, unless you electrify it 
They just ssh to every random ip they can think of.
Running it into some other port than the default 22 will drastically decrease the attempts, though. Using some iptables rules to block incoming traffic is always a good thing, though it can be difficult if you don't always connect from the same ips. You can, however, blacklist concrete ips or even ip ranges.
Also, if you haven't yet, check fail2ban. |
|
| Back to top |
|
|
Chiitoo
Administrator
Joined: 28 Feb 2010
Posts: 2751
Location: Here and Away Again
|
| Posted: Thu Jun 05, 2014 11:10 am Post subject: |
|
|
| i92guboj wrote: | [...] just like you can't stop people from knocking your door; that is, unless you electrify it
|
One might bet many still would, at least once!
_________________
Kindest of regardses. |
|
| Back to top |
|
|
guido-pe
n00b
Joined: 10 May 2004
Posts: 74
|
| Posted: Thu Jun 05, 2014 3:50 pm Post subject: |
|
|
| i92guboj wrote: | | In any case, if you are truly worried you should give rkhunter and chkrootkit a try. |
IMHO, if someone is truly worried their system might be compromised, they should just nuke it and reinstall from scratch. Otherwise, you can never be sure that you got all traces from some malware or all the backdoors some intruder put in place. |
|
| Back to top |
|
|
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Sat Jun 07, 2014 7:02 pm Post subject: |
|
|
| I've had to nuke my servers once, because someone managed to get access through a service account. After I saw that, I nuked the entire system and reinstalled. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9883
Location: almost Mile High in the USA
|
| Posted: Wed Jun 11, 2014 9:08 pm Post subject: |
|
|
Keep in mind too that for some reason, at least my Gnome2 desktop appears to collect icons and startup scripts from wine if wine dictates it to be. It probably is the "wine integration" of Gnome but it's more worrysome than convenient. Wine apparently can actually add default programs to the Gnome desktop which means that windows viruses can make Wine run them more often. May need to check what your DE is pointing to as default programs and make sure it's not a wine program if you didn't mean it to be.
Yes, I fear getting compromised but being able to access my machines remotely is more interesting. I sometimes I think I may have to move everything to VPN to stop the SSH dictionary attacks. Luckily my OpenVPN has not been "knocked" on much. However requiring openvpn pretty much means a longer startup time as it has to negotiate a link first, plus I can't memorize an RSA key ...
I've mentioned in this in the past, but I am worried that I may end up on a random network that blocks ports. A random network has a higher chance of blocking port 1194 than 22 which is more than 443 (and some block all of them but 80 and 53). As a "backdoor" into my network I actually have one spare machine forwarding port 443 to 22 just in case I run into one of these networks...
(I should have another machine that forwards port 80 to 22 for the same reason... Then again they probably have a transparent proxy on that, and trying to talk ssh will probably confuse it.)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
|
Networking & Security
