What kind of process is this ?

What kind of process is this ?

am 19.01.2010 23:46:31 von Yago Jesus

Hi,

Playing with Unhide (http://www.security-projects.com/?Unhide) I have
found a very strange process (and I think im not rooted lol).

Unhide reports this:

=46ound HIDDEN PID: 24111
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24112
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24115
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24118
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24121
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24122
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

If I search -for example- in /proc/24111 directory exists and appears a
legitimate process ...

But, here is the weird issue, I can=B4t find it using PS

I have tried :

#ps -eL | grep 24111

#ps axT | grep 24111

#ps -aHT | grep 24111

I think it is not a 'normal' process, nor a thread, nor a session leade=
r,
nor a pgrp ...

But, surprise ! , I was able to find it using pstree

$ pstree -c -p | grep opera
|-opera(28600)-+-operapluginclea(28937)
| |-operapluginwrap(30602)
| |-{opera}(28630)
| `-{opera}(28873)
|-operapluginwrap(23493)-+-operapluginwrap(24641)
| |-{operapluginwrap}(24111)
| |-{operapluginwrap}(24112)
| |-{operapluginwrap}(24115)
| |-{operapluginwrap}(24118)
| |-{operapluginwrap}(24121)
| `-{operapluginwrap}(24122)

More info:

$ uname -a
Linux centrino 2.6.27.25-78.2.56.fc9.i686.PAE #1 SMP Thu Jun 18
12:36:07 EDT 2009 i686 i686 i386 GNU/Linux


$ rpm -qf /bin/ps
procps-3.2.7-20.fc9.i386


Thanks !
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: What kind of process is this ?

am 20.01.2010 00:16:43 von Ben Kevan

On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
wrote:

> Hi,
>
> Playing with Unhide (http://www.security-projects.com/?Unhide) I have
> found a very strange process (and I think im not rooted lol).
>
> Unhide reports this:
>
> Found HIDDEN PID: 24111
> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>
> Found HIDDEN PID: 24112
> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>
> BIG SNIP
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

That's the opera web browser plugin wrapper process.


--
If you don't know what you want, you end up with a lot you don't. -Fight
Club
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: What kind of process is this ?

am 20.01.2010 00:18:45 von h.willstrand

On Wed, Jan 20, 2010 at 12:16 AM, Ben Kevan wrote=
:
> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
> wrote:
>
>> Hi,
>>
>> Playing with Unhide (http://www.security-projects.com/?Unhide) I hav=
e
>> found a very strange process (and I think im not rooted lol).
>>
>> Unhide reports this:
>>
>> Found HIDDEN PID: 24111
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24112
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
Try ps -eLf and you should see the missing stuff.

//HW
>> BIG SNIP
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
> That's the opera web browser plugin wrapper process.
>
>
> --
> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
> Club
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin=
" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: What kind of process is this ?

am 20.01.2010 00:19:59 von Yago Jesus

Im sure:

$ rpm -Vf /bin/ps

and, its ok

2010/1/19 Juan Leaniz :
> Did you check /bin/ps's timestamp to make sure it wasn't modified or
> replaced? Are you able to see the process if you use lsof ?
>
> On Tue, Jan 19, 2010 at 8:46 PM, Yago Jesus com>
> wrote:
>>
>> Hi,
>>
>> Playing with Unhide (http://www.security-projects.com/?Unhide) I hav=
e
>> found a very strange process (and I think im not rooted lol).
>>
>> Unhide reports this:
>>
>> Found HIDDEN PID: 24111
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24112
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24115
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24118
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24121
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24122
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> If I search -for example- in /proc/24111 directory exists and appear=
s a
>> legitimate process ...
>>
>> But, here is the weird issue, I can=B4t find it using PS
>>
>> I have tried :
>>
>> #ps -eL | grep 24111
>>
>> #ps axT | grep 24111
>>
>> #ps -aHT | grep 24111
>>
>> I think it is not a 'normal' process, nor a thread, nor a session le=
ader,
>> nor a pgrp ...
>>
>> But, surprise ! , I was able to find it using pstree
>>
>> $ pstree -c -p | grep opera
>> =A0 =A0 =A0 |-opera(28600)-+-operapluginclea(28937)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0|-operapluginwrap(30602)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{opera}(28630)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0`-{opera}(28873)
>> =A0 =A0 =A0 |-operapluginwrap(23493)-+-operapluginwrap(24641)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24111)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24112)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24115)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24118)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24121)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0`-{oper=
apluginwrap}(24122)
>>
>> More info:
>>
>> $ uname -a
>> Linux centrino 2.6.27.25-78.2.56.fc9.i686.PAE #1 SMP Thu Jun 18
>> 12:36:07 EDT 2009 i686 i686 i386 GNU/Linux
>>
>>
>> $ rpm -qf /bin/ps
>> procps-3.2.7-20.fc9.i386
>>
>>
>> Thanks !
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: What kind of process is this ?

am 20.01.2010 00:21:25 von Yago Jesus

Yes, I know the process, but this is not the topic, my question is:
how can I list ?

2010/1/20 Ben Kevan :
> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
> wrote:
>
>> Hi,
>>
>> Playing with Unhide (http://www.security-projects.com/?Unhide) I hav=
e
>> found a very strange process (and I think im not rooted lol).
>>
>> Unhide reports this:
>>
>> Found HIDDEN PID: 24111
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24112
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> BIG SNIP
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
> That's the opera web browser plugin wrapper process.
>
>
> --
> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
> Club
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: What kind of process is this ?

am 20.01.2010 00:22:59 von Yago Jesus

I can't, no luck

2010/1/20 H. Willstrand :
> On Wed, Jan 20, 2010 at 12:16 AM, Ben Kevan wro=
te:
>> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
>> wrote:
>>
>>> Hi,
>>>
>>> Playing with Unhide (http://www.security-projects.com/?Unhide) I ha=
ve
>>> found a very strange process (and I think im not rooted lol).
>>>
>>> Unhide reports this:
>>>
>>> Found HIDDEN PID: 24111
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
>>> Found HIDDEN PID: 24112
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
> Try ps -eLf and you should see the missing stuff.
>
> //HW
>>> BIG SNIP
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-adm=
in" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.htm=
l
>>
>> That's the opera web browser plugin wrapper process.
>>
>>
>> --
>> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
>> Club
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: What kind of process is this ?

am 20.01.2010 00:39:18 von Ben Kevan

On Tue, 19 Jan 2010 15:21:25 -0800, Yago Jesus
wrote:

> Yes, I know the process, but this is not the topic, my question is:
> how can I list ?
>
> 2010/1/20 Ben Kevan :
>> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
>> wrote:
>>
>>> Hi,
>>>
>>> Playing with Unhide (http://www.security-projects.com/?Unhide) I have
>>> found a very strange process (and I think im not rooted lol).
>>>
>>> Unhide reports this:
>>>
>>> Found HIDDEN PID: 24111
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
>>> Found HIDDEN PID: 24112
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
>>> BIG SNIP
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-admin"
>>> in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>> That's the opera web browser plugin wrapper process.
>>

Actually looking at your subject line, you indicated you wanted to know
what kind of process it was, which I gladly told you.
Second it's a wrapper script around stuff in the /usr/lib/browser-plugins/

Also,

What version of Opera etc.. I'm able to see it just fine on my machine
running ps aux:

ps aux | grep -v grep | grep opera | awk '{ print $11 }'
/usr/lib/opera/opera
/usr/lib/opera/operapluginwrapper-ia32-linux
/usr/lib/opera/operaplugincleaner

--
If you don't know what you want, you end up with a lot you don't. -Fight
Club
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: What kind of process is this ?

am 20.01.2010 11:38:44 von Yago Jesus

$ rpm -qa | grep -i opera
opera-10.01-4682.gcc4.shared.qt3.i386

2010/1/20 Ben Kevan :
> On Tue, 19 Jan 2010 15:21:25 -0800, Yago Jesus
> wrote:
>
>> Yes, I know the process, but this is not the topic, my question is:
>> how can I list ?
>>
>> 2010/1/20 Ben Kevan :
>>>
>>> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Playing with Unhide (http://www.security-projects.com/?Unhide) I h=
ave
>>>> found a very strange process (and I think im not rooted lol).
>>>>
>>>> Unhide reports this:
>>>>
>>>> Found HIDDEN PID: 24111
>>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>>
>>>> Found HIDDEN PID: 24112
>>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>>
>>>> BIG SNIP
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe linux-ad=
min"
>>>> in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.ht=
ml
>>>
>>> That's the opera web browser plugin wrapper process.
>>>
>
> Actually looking at your subject line, you indicated you wanted to kn=
ow what
> kind of process it was, which I gladly told you.
> Second it's a wrapper script around stuff in the /usr/lib/browser-plu=
gins/
>
> Also,
>
> What version of Opera etc.. I'm able to see it just fine on my machin=
e
> running ps aux:
>
> ps aux | grep -v grep | grep =A0opera | awk '{ print $11 }'
> /usr/lib/opera/opera
> /usr/lib/opera/operapluginwrapper-ia32-linux
> /usr/lib/opera/operaplugincleaner
>
> --
> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
> Club
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html