[NTLUG:Discuss] -:0

Sat Apr 23 00:14:26 CDT 2005

On my SuSE 9.2 desktop "ps -ef" shows---

UID        PID  PPID  C STIME TTY          TIME CMD
root      5954     1  0 23:23 ?        00:00:00 /opt/kde3/bin/kdm
root      5967  5954  3 23:23 ?        00:00:42 /usr/X11R6/bin/X
-nolisten tcp -br vt7 -auth /var/lib/xdm/authdir/authf
root      5972  5954  0 23:23 ?        00:00:00 -:0

It looks like this is a legitimate process parented from "/opt/kde3/bin/kdm".
Since I am a novice I can not be sure. What do the Security-aware people think?

Thanks,

Robert

On 4/22/05, Paul Ingendorf <pauldy at wantek.net> wrote:
> I would be very suspicious of this.  If you are running a proc filesystem
> run more /proc/3555/cmdline  If it doesn't exist or the path looks weird
> you can bet it is a Trojan. I would backup your important data and format
> the system asap.  You can also do forensics on the drive if you want to
> try and find out were it came from in which case I would get a new drive
> reinstall to it then backup your data to the new drive and perform all of
> your forensics without modifying the drive.
> 
> frostier said:
> > in the process of trying to fix my printer i did a:
> > ps -e -f
> >
> > and was looking thru the output when i saw:
> > UID        PID  PPID  C STIME TTY          TIME CMD
> > root      3555  1307  0 Apr21 ?        00:00:00 -:0
> >
> > i've never heard of a process called, -:0
> > and it bothers the hell out of me that there is no path listed to bin.
> >
> > locate -:0 gives an invalid option.
> >
> > can this be anything good?