strange processes?

[Stefan Czinczoll <schollsky arcor de>]

Hi again,

until now I've made it to the first testbuild of gnome 2.5.13.
I like it very much, espacially the advanced configuration options,
that have not been there with my old system 2.10.2. The look'n
feel is great! (...even though the windows' edges flicker a bit 
when being moved, but this is true for the old system, too).  
The framerate with the 3D hardware acceleration increased by 50%
compared the old config! (fgl_glxgears)

I'll try to do the build of gnomemeeting or it's successor later, 
until the more important programs are usable. Most important by now
are evolution, epiphany or firefox and gaim. And of course
bug-buddy for the error-reports. :-)

The problems with my old gnome version began with firefox AFAIRC.
It's version is 1.0.6 and the newly compiled does not not
start up by now. It sometimes occurred that the system froze
and I had to close the browser using the symbol in the upper right.
Then a gnome msg came up that it did not react anymore. I chose
to end the application. Sometime after this behaviour occurred
more often.

This was the main reason to try out a new version. I hoped that 
these problems would go away, but I want to be sure now. There's 
a strange behaviour of applications in the old gnome. It looks as 
if they open their window, but then the borders vanish very fast.
A second after the application opens up normally (sideeffect?)
This was more suspicious when I checked the process list using 
chkrootkit. Starting the old gnome now there are about 17 hidden
processes which are reported not to show up for the ps and
the readdir command. I checked the reported hits in /proc and 
found the following:

- nautilus (many instances, without any nautilus window open)
- gnome-vfs-daemon
- gnome-terminal
- evolution-alarm-notify
- evolution-data-server (2, once 3 instances)
- gnome-panel
- firefox (even after being ended)

It was not possible to shoot these processes (aka "kill -9").
During this time there also lied around some zombie processes,
which also refused to go away getting a "kill -9". The hardest one
here was s2u, mostly accomanied by mdkapplet and net_applet. 
Once I also saw Mod_Meta_L_Disa(ble). They all went off to nowhere
after shutting down X. Thinking that it could work without
them I backup the /etc/X11/xinit.d dir, where they reside and 
deleted the offenders here.

To be sure that the new gnome system is not compromised as
well, I opened a terminal here and did "chkproc -v" here as
well. Out of the new 2.13.5 in /proc are the following now:

- gnome-settings-daemon
- nautilus
- gnome-vfs-daemon
- gnome-panel
- gnome-terminal
- (mDNSresponder, only once)
- (evolution-exchange-storage, only once)

I found out that the hidden processes have the same PID as 
the "normal" ones, but with a different SPID (+1 or +2). 

Trying to use evolution in the new system I found that
s2u is needed for the use of dbus (connecting it to the
system bus). Later it showed that an old version of s2u.sh
was reinstalled in xinit.d (by the mandrake system?)

So the question now is: Are those processes really meant
to be hidden by GNOME or is there a problem somewhere else?

If this is all okay, please let me know...


In the meantime I've done a little research on my harddisks.
By which means could a possible intruder got into this 
machine? Before I was able to connect to an IRC server
in a reasonable way (i.e: using something like gaim),
our course at the local University was suggested to use 
the Browser and a JAVA-plugin from within a BSCW-server
to do this. (The course relies on BSCW on a regular 
basis.)

Just to chat this was like killing a bug with a 
big hammer, but this seems to be the ways things go
these days - I wouldn't have installed a runtime-environment
at all if was not for this. Using gaim didn't work
at first, and there was no time to track down the
error. So using JAVA was a rather quick'n dirty solution.
Besides, more and more websites use java now, and I got 
somehow used to it...

So maybe that was the way something unwanted came
in here? Browsing through my dirs I found a file
within /etc/alternatives, that would possibly be 
related to the problems with the processes: 
The name is "hibernate_in_process_cache", and
it softlinks to /usr/share/java/jisp2.rar. I'm
not sure from which package it came, since I 
tried several until one of them worked.

Maybe this is alright, too? However, after going 
into single mode I looked up, wether some other
processes were still there, showing a similar
behaviour. 

I found two of them: One is pdflush, which does 
writing data on a quite low level, the other one
is kjournald. I presume kjournald does some
updating or similar for the kernel on journalised
filesystems. They are now the only processes left
that have two instances and they are marked
sleeping; all others show up only once. 
I'm somehow lost now. Couldn't they spawn child 
processes when needed?

Or am I totally on the wrong path with this 
and worrying about nothing?


Best regards,

Stefan

-- 
Stefan Czinczoll   scholle(at)uni-duisburg.de