# .exe processes without wine?

## Olorin

Recently something mixed up my default programs so that images would open in firefox (which is not my default browser) and .html and maybe some others would open in wine, which would then launch several short lived threads at a time over and over again, which would use lots of CPU time. This would only stop if you killed them all at once, which was hard to do since they changed their names and PIDs quickly. I don't know if this is malicious behavior or just a serious bug, but the solution seems simple enough: Uninstall Wine. So, I did that a few days ago. Today I logged into that machine (my desktop - I'm out of town) via SSH and noticed that SSH was being slow and unresponsive. "top" revealed that X and a kworker thread were both using around 10% of my CPU time (a slightly overclocked i7-2700k), so I killed xinit, and the cpu usage went back to normal, but ssh was still slow. At that point I noticed three ".exe" processes running despite the absence of wine: explorer.exe, services.exe, plugplay.exe. I killed them, and SSH started responding normally. Now I am very worried that something bad is happening.

Am I being paranoid? Are wine and X just buggy? Could there still be some thread that's been running since before I uninstalled wine that occasionally spawns these .exe threads? I would appreciate any thoughts on this issue.

----------

## xaviermiller

Did you rebooted your machine after uninstalling wine ?

With UNIX, you can remove all executables, but those running will continue to exist.

----------

## i92guboj

Yes.

In any case, if you are truly worried you should give rkhunter and chkrootkit a try.

----------

## Olorin

 *XavierMiller wrote:*   

> Did you rebooted your machine after uninstalling wine ?
> 
> With UNIX, you can remove all executables, but those running will continue to exist.

 

I didn't reboot, but I killed nearly all the threads running with my username and made sure that commands like "ps -ef | grep wine" and "ps -ef | grep exe" didn't turn up anything.

 *i92guboj wrote:*   

> Yes. 
> 
> In any case, if you are truly worried you should give rkhunter and chkrootkit a try.

 

I'll do that. Thanks. I appreciate the feedback. I realize that it's kind of a stupid question. I've been on edge since I noticed that multiple IP addresses had been trying to guess my ssh password for months. I wouldn't have thought anyone would bother doing something like that to a machine on a residential IP address. Then somebody got into my gmail, for which I used the same password as I used for my user on my desktop, and I've been thinking about the fact that it wouldn't necessarily be obvious if somebody had got in and gained root. I've tightened up my SSH security and changed all of my passwords, but not being able to take for granted that I'm completely in control of my machine has been making me paranoid, I guess. I'll continue to  assume that the timing of the bugginess is just unfortunate, and I'll run those two programs just in case.

----------

## Anon-E-moose

I think most people constantly get hits on the ssh port. I know I do.

I don't leave ssh open for the world though. I use iptables to filter it down to just the ip addresses that I might connect from.

----------

## i92guboj

You can't stop people (meaning "bots") hitting your ssh port if you allow login, just like you can't stop people from knocking your door; that is, unless you electrify it   :Twisted Evil: 

They just ssh to every random ip they can think of.

Running it into some other port than the default 22 will drastically decrease the attempts, though. Using some iptables rules to block incoming traffic is always a good thing, though it can be difficult if you don't always connect from the same ips. You can, however, blacklist concrete ips or even ip ranges.

Also, if you haven't yet, check fail2ban.

----------

## Chiitoo

 *i92guboj wrote:*   

> [...] just like you can't stop people from knocking your door; that is, unless you electrify it  
> 
> 

 

One might bet many still would, at least once!

----------

## guido-pe

 *i92guboj wrote:*   

> In any case, if you are truly worried you should give rkhunter and chkrootkit a try.

 

IMHO, if someone is truly worried their system might be compromised, they should just nuke it and reinstall from scratch. Otherwise, you can never be sure that you got all traces from some malware or all the backdoors some intruder put in place.

----------

## ct85711

I've had to nuke my servers once, because someone managed to get access through a service account.  After I saw that, I nuked the entire system and reinstalled.

----------

## eccerr0r

Keep in mind too that for some reason, at least my Gnome2 desktop appears to collect icons and startup scripts from wine if wine dictates it to be.  It probably is the "wine integration" of Gnome but it's more worrysome than convenient.  Wine apparently can actually add default programs to the Gnome desktop which means that windows viruses can make Wine run them more often.  May need to check what your DE is pointing to as default programs and make sure it's not a wine program if you didn't mean it to be.

Yes, I fear getting compromised but being able to access my machines remotely is more interesting.  I sometimes I think I may have to move everything to VPN to stop the SSH dictionary attacks.  Luckily my OpenVPN has not been "knocked" on much.  However requiring openvpn pretty much means a longer startup time as it has to negotiate a link first, plus I can't memorize an RSA key ...

I've mentioned in this in the past, but I am worried that I may end up on a random network that blocks ports.  A random network has a higher chance of blocking port 1194 than 22 which is more than 443 (and some block all of them but 80 and 53).  As a "backdoor" into my network I actually have one spare machine forwarding port 443 to 22 just in case I run into one of these networks...

(I should have another machine that forwards port 80 to 22 for the same reason...  Then again they probably have a transparent proxy on that, and trying to talk ssh will probably confuse it.)

----------

