-:() Process

I am currenlty showing a process when doing a ps -ef on my system I
receive a process listed as -:(). I killed the process and it logged of
my system. Have I been compromised? I tried searching on this process
and did not get any responses back.

"jcw248" <jcw248@gmail.com> (06-06-11 08:05:59):

> I am currenlty showing a process when doing a ps -ef on my system I
> receive a process listed as -:(). I killed the process and it logged
> of my system. Have I been compromised? I tried searching on this
> process and did not get any responses back.

You probably are seeing the process with the name "-:0", which is a zero
at the end, instead of parentheses. If that's the case, then everything
is alright, because that's just the command line name of your X server
process. You can easily check that. See the output of "ps -ef", and
grab the PID of the process. Then do "ps c -ef" to see the binary name
of all processes and check that the PID actually belongs to a process
called just 'X'.

To explain that: The dash ('-') at the beginning means that this is
your login process, i.e. the one process started at login time. It
shouldn't be, but on some systems, X is the login shell for some or all
users. Otherwise and much more likely, it just may be that your display
manager (XDM, GDM, KDM, ...) started your X server that way. The ":0"
at the end means that the X server is running on display 0 (zero),
i.e. the first virtual terminal, which X can or should use. If you have
multiple X sessions running, the other sessions will have different
display numbers like ":1".


Regards,
E.S.

On 2006-06-11, jcw248 <jcw248@gmail.com> wrote:

> I am currenlty showing a process when doing a ps -ef on my system I
> receive a process listed as -:(). I killed the process and it logged of
> my system. Have I been compromised? I tried searching on this process
> and did not get any responses back.

Are you sure it's not "-:0" ?

That's part of how X communicates with its various pieces. If you kill
it, you kill your X server and thus are logged out when a new X server
process is spawned by init.

If you have more than one X display running, you'll probably see "-:1"
and "-:2" and so on for each display screen.

--

John (john@os2.dhs.org)

Ertugrul Soeylemez wrote:
> "jcw248" <jcw248@gmail.com> (06-06-11 08:05:59):
>
> > I am currenlty showing a process when doing a ps -ef on my system I
> > receive a process listed as -:(). I killed the process and it logged
> > of my system. Have I been compromised? I tried searching on this
> > process and did not get any responses back.
>
> You probably are seeing the process with the name "-:0", which is a zero
> at the end, instead of parentheses. If that's the case, then everything
> is alright, because that's just the command line name of your X server
> process. You can easily check that. See the output of "ps -ef", and
> grab the PID of the process. Then do "ps c -ef" to see the binary name
> of all processes and check that the PID actually belongs to a process
> called just 'X'.
>
> To explain that: The dash ('-') at the beginning means that this is
> your login process, i.e. the one process started at login time. It
> shouldn't be, but on some systems, X is the login shell for some or all
> users. Otherwise and much more likely, it just may be that your display
> manager (XDM, GDM, KDM, ...) started your X server that way. The ":0"
> at the end means that the X server is running on display 0 (zero),
> i.e. the first virtual terminal, which X can or should use. If you have
> multiple X sessions running, the other sessions will have different
> display numbers like ":1".
>
>
> Regards,
> E.S.

Thanks for not blasting me I am new to Linux security. Thanks for the
useful information

John Thompson wrote:
> On 2006-06-11, jcw248 <jcw248@gmail.com> wrote:
>
> > I am currenlty showing a process when doing a ps -ef on my system I
> > receive a process listed as -:(). I killed the process and it logged of
> > my system. Have I been compromised? I tried searching on this process
> > and did not get any responses back.
>
> Are you sure it's not "-:0" ?
>
> That's part of how X communicates with its various pieces. If you kill
> it, you kill your X server and thus are logged out when a new X server
> process is spawned by init.
>
> If you have more than one X display running, you'll probably see "-:1"
> and "-:2" and so on for each display screen.
>
> --
>
> John (john@os2.dhs.org)

Thanks for the help.