Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
.exe processes without wine?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Olorin
n00b
n00b


Joined: 10 Jun 2012
Posts: 6
Location: Texas

PostPosted: Thu Jun 05, 2014 3:05 am    Post subject: .exe processes without wine? Reply with quote

Recently something mixed up my default programs so that images would open in firefox (which is not my default browser) and .html and maybe some others would open in wine, which would then launch several short lived threads at a time over and over again, which would use lots of CPU time. This would only stop if you killed them all at once, which was hard to do since they changed their names and PIDs quickly. I don't know if this is malicious behavior or just a serious bug, but the solution seems simple enough: Uninstall Wine. So, I did that a few days ago. Today I logged into that machine (my desktop - I'm out of town) via SSH and noticed that SSH was being slow and unresponsive. "top" revealed that X and a kworker thread were both using around 10% of my CPU time (a slightly overclocked i7-2700k), so I killed xinit, and the cpu usage went back to normal, but ssh was still slow. At that point I noticed three ".exe" processes running despite the absence of wine: explorer.exe, services.exe, plugplay.exe. I killed them, and SSH started responding normally. Now I am very worried that something bad is happening.

Am I being paranoid? Are wine and X just buggy? Could there still be some thread that's been running since before I uninstalled wine that occasionally spawns these .exe threads? I would appreciate any thoughts on this issue.
Back to top
View user's profile Send private message
xaviermiller
Administrator
Administrator


Joined: 23 Jul 2004
Posts: 7896
Location: ~Brussels - Belgique

PostPosted: Thu Jun 05, 2014 7:55 am    Post subject: Reply with quote

Did you rebooted your machine after uninstalling wine ?

With UNIX, you can remove all executables, but those running will continue to exist.
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10306
Location: Córdoba (Spain)

PostPosted: Thu Jun 05, 2014 8:36 am    Post subject: Reply with quote

Yes.

In any case, if you are truly worried you should give rkhunter and chkrootkit a try.
_________________
Gentoo Handbook | My website
Back to top
View user's profile Send private message
Olorin
n00b
n00b


Joined: 10 Jun 2012
Posts: 6
Location: Texas

PostPosted: Thu Jun 05, 2014 9:35 am    Post subject: Reply with quote

XavierMiller wrote:
Did you rebooted your machine after uninstalling wine ?

With UNIX, you can remove all executables, but those running will continue to exist.


I didn't reboot, but I killed nearly all the threads running with my username and made sure that commands like "ps -ef | grep wine" and "ps -ef | grep exe" didn't turn up anything.

i92guboj wrote:
Yes.

In any case, if you are truly worried you should give rkhunter and chkrootkit a try.


I'll do that. Thanks. I appreciate the feedback. I realize that it's kind of a stupid question. I've been on edge since I noticed that multiple IP addresses had been trying to guess my ssh password for months. I wouldn't have thought anyone would bother doing something like that to a machine on a residential IP address. Then somebody got into my gmail, for which I used the same password as I used for my user on my desktop, and I've been thinking about the fact that it wouldn't necessarily be obvious if somebody had got in and gained root. I've tightened up my SSH security and changed all of my passwords, but not being able to take for granted that I'm completely in control of my machine has been making me paranoid, I guess. I'll continue to assume that the timing of the bugginess is just unfortunate, and I'll run those two programs just in case.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3690
Location: Dallas area

PostPosted: Thu Jun 05, 2014 9:43 am    Post subject: Reply with quote

I think most people constantly get hits on the ssh port. I know I do.

I don't leave ssh open for the world though. I use iptables to filter it down to just the ip addresses that I might connect from.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10306
Location: Córdoba (Spain)

PostPosted: Thu Jun 05, 2014 10:02 am    Post subject: Reply with quote

You can't stop people (meaning "bots") hitting your ssh port if you allow login, just like you can't stop people from knocking your door; that is, unless you electrify it :twisted:

They just ssh to every random ip they can think of.

Running it into some other port than the default 22 will drastically decrease the attempts, though. Using some iptables rules to block incoming traffic is always a good thing, though it can be difficult if you don't always connect from the same ips. You can, however, blacklist concrete ips or even ip ranges.

Also, if you haven't yet, check fail2ban.
_________________
Gentoo Handbook | My website
Back to top
View user's profile Send private message
Chiitoo
Administrator
Administrator


Joined: 28 Feb 2010
Posts: 1685
Location: Here and Away Again

PostPosted: Thu Jun 05, 2014 11:10 am    Post subject: Reply with quote

i92guboj wrote:
[...] just like you can't stop people from knocking your door; that is, unless you electrify it :twisted:

One might bet many still would, at least once!
_________________
Kind Regards,
~ The Noob Unlimited ~

Sore wa sore, kore wa kore.
Back to top
View user's profile Send private message
guido-pe
n00b
n00b


Joined: 10 May 2004
Posts: 62

PostPosted: Thu Jun 05, 2014 3:50 pm    Post subject: Reply with quote

i92guboj wrote:
In any case, if you are truly worried you should give rkhunter and chkrootkit a try.


IMHO, if someone is truly worried their system might be compromised, they should just nuke it and reinstall from scratch. Otherwise, you can never be sure that you got all traces from some malware or all the backdoors some intruder put in place.
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1692

PostPosted: Sat Jun 07, 2014 7:02 pm    Post subject: Reply with quote

I've had to nuke my servers once, because someone managed to get access through a service account. After I saw that, I nuked the entire system and reinstalled.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Wed Jun 11, 2014 9:08 pm    Post subject: Reply with quote

Keep in mind too that for some reason, at least my Gnome2 desktop appears to collect icons and startup scripts from wine if wine dictates it to be. It probably is the "wine integration" of Gnome but it's more worrysome than convenient. Wine apparently can actually add default programs to the Gnome desktop which means that windows viruses can make Wine run them more often. May need to check what your DE is pointing to as default programs and make sure it's not a wine program if you didn't mean it to be.

Yes, I fear getting compromised but being able to access my machines remotely is more interesting. I sometimes I think I may have to move everything to VPN to stop the SSH dictionary attacks. Luckily my OpenVPN has not been "knocked" on much. However requiring openvpn pretty much means a longer startup time as it has to negotiate a link first, plus I can't memorize an RSA key ...

I've mentioned in this in the past, but I am worried that I may end up on a random network that blocks ports. A random network has a higher chance of blocking port 1194 than 22 which is more than 443 (and some block all of them but 80 and 53). As a "backdoor" into my network I actually have one spare machine forwarding port 443 to 22 just in case I run into one of these networks...

(I should have another machine that forwards port 80 to 22 for the same reason... Then again they probably have a transparent proxy on that, and trying to talk ssh will probably confuse it.)
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum