Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

WWWXXXAPC, docmd.close 2585, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text, how to setup procmail html2text, WWWXXXAPC., XXXCNZZZ

Links

XODOX
Impressum

#1: What kind of process is this ?

Posted on 2010-01-19 23:46:31 by Yago Jesus

Hi,

Playing with Unhide (http://www.security-projects.com/?Unhide) I have
found a very strange process (and I think im not rooted lol).

Unhide reports this:

=46ound HIDDEN PID: 24111
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24112
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24115
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24118
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24121
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

=46ound HIDDEN PID: 24122
Command: /usr/lib/opera/operapluginwrapper-ia32-linux

If I search -for example- in /proc/24111 directory exists and appears a
legitimate process ...

But, here is the weird issue, I can=B4t find it using PS

I have tried :

#ps -eL | grep 24111

#ps axT | grep 24111

#ps -aHT | grep 24111

I think it is not a 'normal' process, nor a thread, nor a session leade=
r,
nor a pgrp ...

But, surprise ! , I was able to find it using pstree

$ pstree -c -p | grep opera
|-opera(28600)-+-operapluginclea(28937)
| |-operapluginwrap(30602)
| |-{opera}(28630)
| `-{opera}(28873)
|-operapluginwrap(23493)-+-operapluginwrap(24641)
| |-{operapluginwrap}(24111)
| |-{operapluginwrap}(24112)
| |-{operapluginwrap}(24115)
| |-{operapluginwrap}(24118)
| |-{operapluginwrap}(24121)
| `-{operapluginwrap}(24122)

More info:

$ uname -a
Linux centrino 2.6.27.25-78.2.56.fc9.i686.PAE #1 SMP Thu Jun 18
12:36:07 EDT 2009 i686 i686 i386 GNU/Linux


$ rpm -qf /bin/ps
procps-3.2.7-20.fc9.i386


Thanks !
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#2: Re: What kind of process is this ?

Posted on 2010-01-20 00:16:43 by Ben Kevan

On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
<yjesus@security-projects.com> wrote:

> Hi,
>
> Playing with Unhide (http://www.security-projects.com/?Unhide) I have
> found a very strange process (and I think im not rooted lol).
>
> Unhide reports this:
>
> Found HIDDEN PID: 24111
> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>
> Found HIDDEN PID: 24112
> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>
> BIG SNIP
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

That's the opera web browser plugin wrapper process.


--
If you don't know what you want, you end up with a lot you don't. -Fight
Club
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#3: Re: What kind of process is this ?

Posted on 2010-01-20 00:18:45 by h.willstrand

On Wed, Jan 20, 2010 at 12:16 AM, Ben Kevan <ben.kevan@gmail.com> wrote=
:
> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
> <yjesus@security-projects.com> wrote:
>
>> Hi,
>>
>> Playing with Unhide (http://www.security-projects.com/?Unhide) I hav=
e
>> found a very strange process (and I think im not rooted lol).
>>
>> Unhide reports this:
>>
>> Found HIDDEN PID: 24111
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24112
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
Try ps -eLf and you should see the missing stuff.

//HW
>> BIG SNIP
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
> That's the opera web browser plugin wrapper process.
>
>
> --
> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
> Club
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin=
" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#4: Re: What kind of process is this ?

Posted on 2010-01-20 00:19:59 by Yago Jesus

Im sure:

$ rpm -Vf /bin/ps

and, its ok

2010/1/19 Juan Leaniz <juan.leaniz@gmail.com>:
> Did you check /bin/ps's timestamp to make sure it wasn't modified or
> replaced? Are you able to see the process if you use lsof ?
>
> On Tue, Jan 19, 2010 at 8:46 PM, Yago Jesus <yjesus@security-projects=
=2Ecom>
> wrote:
>>
>> Hi,
>>
>> Playing with Unhide (http://www.security-projects.com/?Unhide) I hav=
e
>> found a very strange process (and I think im not rooted lol).
>>
>> Unhide reports this:
>>
>> Found HIDDEN PID: 24111
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24112
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24115
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24118
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24121
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24122
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> If I search -for example- in /proc/24111 directory exists and appear=
s a
>> legitimate process ...
>>
>> But, here is the weird issue, I can=B4t find it using PS
>>
>> I have tried :
>>
>> #ps -eL | grep 24111
>>
>> #ps axT | grep 24111
>>
>> #ps -aHT | grep 24111
>>
>> I think it is not a 'normal' process, nor a thread, nor a session le=
ader,
>> nor a pgrp ...
>>
>> But, surprise ! , I was able to find it using pstree
>>
>> $ pstree -c -p | grep opera
>> =A0 =A0 =A0 |-opera(28600)-+-operapluginclea(28937)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0|-operapluginwrap(30602)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{opera}(28630)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0`-{opera}(28873)
>> =A0 =A0 =A0 |-operapluginwrap(23493)-+-operapluginwrap(24641)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24111)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24112)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24115)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24118)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|-{oper=
apluginwrap}(24121)
>> =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0`-{oper=
apluginwrap}(24122)
>>
>> More info:
>>
>> $ uname -a
>> Linux centrino 2.6.27.25-78.2.56.fc9.i686.PAE #1 SMP Thu Jun 18
>> 12:36:07 EDT 2009 i686 i686 i386 GNU/Linux
>>
>>
>> $ rpm -qf /bin/ps
>> procps-3.2.7-20.fc9.i386
>>
>>
>> Thanks !
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#5: Re: What kind of process is this ?

Posted on 2010-01-20 00:21:25 by Yago Jesus

Yes, I know the process, but this is not the topic, my question is:
how can I list ?

2010/1/20 Ben Kevan <ben.kevan@gmail.com>:
> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
> <yjesus@security-projects.com> wrote:
>
>> Hi,
>>
>> Playing with Unhide (http://www.security-projects.com/?Unhide) I hav=
e
>> found a very strange process (and I think im not rooted lol).
>>
>> Unhide reports this:
>>
>> Found HIDDEN PID: 24111
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> Found HIDDEN PID: 24112
>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>
>> BIG SNIP
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
> That's the opera web browser plugin wrapper process.
>
>
> --
> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
> Club
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#6: Re: What kind of process is this ?

Posted on 2010-01-20 00:22:59 by Yago Jesus

I can't, no luck

2010/1/20 H. Willstrand <h.willstrand@gmail.com>:
> On Wed, Jan 20, 2010 at 12:16 AM, Ben Kevan <ben.kevan@gmail.com> wro=
te:
>> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
>> <yjesus@security-projects.com> wrote:
>>
>>> Hi,
>>>
>>> Playing with Unhide (http://www.security-projects.com/?Unhide) I ha=
ve
>>> found a very strange process (and I think im not rooted lol).
>>>
>>> Unhide reports this:
>>>
>>> Found HIDDEN PID: 24111
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
>>> Found HIDDEN PID: 24112
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
> Try ps -eLf and you should see the missing stuff.
>
> //HW
>>> BIG SNIP
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-adm=
in" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.htm=
l
>>
>> That's the opera web browser plugin wrapper process.
>>
>>
>> --
>> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
>> Club
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-admi=
n" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#7: Re: What kind of process is this ?

Posted on 2010-01-20 00:39:18 by Ben Kevan

On Tue, 19 Jan 2010 15:21:25 -0800, Yago Jesus
<yjesus@security-projects.com> wrote:

> Yes, I know the process, but this is not the topic, my question is:
> how can I list ?
>
> 2010/1/20 Ben Kevan <ben.kevan@gmail.com>:
>> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
>> <yjesus@security-projects.com> wrote:
>>
>>> Hi,
>>>
>>> Playing with Unhide (http://www.security-projects.com/?Unhide) I have
>>> found a very strange process (and I think im not rooted lol).
>>>
>>> Unhide reports this:
>>>
>>> Found HIDDEN PID: 24111
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
>>> Found HIDDEN PID: 24112
>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>
>>> BIG SNIP
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-admin"
>>> in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>> That's the opera web browser plugin wrapper process.
>>

Actually looking at your subject line, you indicated you wanted to know
what kind of process it was, which I gladly told you.
Second it's a wrapper script around stuff in the /usr/lib/browser-plugins/

Also,

What version of Opera etc.. I'm able to see it just fine on my machine
running ps aux:

ps aux | grep -v grep | grep opera | awk '{ print $11 }'
/usr/lib/opera/opera
/usr/lib/opera/operapluginwrapper-ia32-linux
/usr/lib/opera/operaplugincleaner

--
If you don't know what you want, you end up with a lot you don't. -Fight
Club
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#8: Re: What kind of process is this ?

Posted on 2010-01-20 11:38:44 by Yago Jesus

$ rpm -qa | grep -i opera
opera-10.01-4682.gcc4.shared.qt3.i386

2010/1/20 Ben Kevan <ben.kevan@gmail.com>:
> On Tue, 19 Jan 2010 15:21:25 -0800, Yago Jesus
> <yjesus@security-projects.com> wrote:
>
>> Yes, I know the process, but this is not the topic, my question is:
>> how can I list ?
>>
>> 2010/1/20 Ben Kevan <ben.kevan@gmail.com>:
>>>
>>> On Tue, 19 Jan 2010 14:46:31 -0800, Yago Jesus
>>> <yjesus@security-projects.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Playing with Unhide (http://www.security-projects.com/?Unhide) I h=
ave
>>>> found a very strange process (and I think im not rooted lol).
>>>>
>>>> Unhide reports this:
>>>>
>>>> Found HIDDEN PID: 24111
>>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>>
>>>> Found HIDDEN PID: 24112
>>>> Command: /usr/lib/opera/operapluginwrapper-ia32-linux
>>>>
>>>> BIG SNIP
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe linux-ad=
min"
>>>> in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.ht=
ml
>>>
>>> That's the opera web browser plugin wrapper process.
>>>
>
> Actually looking at your subject line, you indicated you wanted to kn=
ow what
> kind of process it was, which I gladly told you.
> Second it's a wrapper script around stuff in the /usr/lib/browser-plu=
gins/
>
> Also,
>
> What version of Opera etc.. I'm able to see it just fine on my machin=
e
> running ps aux:
>
> ps aux | grep -v grep | grep =A0opera | awk '{ print $11 }'
> /usr/lib/opera/opera
> /usr/lib/opera/operapluginwrapper-ia32-linux
> /usr/lib/opera/operaplugincleaner
>
> --
> If you don't know what you want, you end up with a lot you don't. =A0=
-Fight
> Club
>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message