Suspicious process running under user dbus

T

TheTool

Verified User
Joined
Feb 24, 2023
Messages
13
Since yesterday (assuming after an automatic update) I have been getting notifications every hour for dbus.

Code: 
server lfd[3732614]: *Suspicious Process* PID:123 PPID:123 User:dbus Uptime:3705518 secs EXE:/usr/bin/dbus-daemon;64d1cec2 (deleted) CMD:/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

Anyone else seen this?
 
Yes that's normal, it should be included in the /etc/csf/csf.pignore file.
Login as root via SSH. Then set this line in the /etc/csf/csf.pignore file:
exe:/usr/bin/dbus-daemon
safe the file and restart csf and lfd with the csf -ra command and it should be fixed.
 
Thanks for the reply. I forgot to mention that it's already ignored in process tracking.
 
Are you sure? Because normally /sbin/dbus-daemon is ignored and sometimes not /usr/sbin/dbus-deamon.
Otherwise try adding the user like:
user:dbus
be sure in all lines there are no spaces present, and no spaces between: and / either.
 
Oh yes, additionally, it could also be a notice of the PT_DELETED setting in the csf configuration.
In that case you could try to fix it by just restarting the dbus daemon manually.
service dbus restart
 
There was a dbus upgrade yesterday for AlmaLinux 8 (maybe others as well).

The old dbus binary was deleted and replaced with a newer one during this upgrade. This notice is telling you that the current running dbus is using the old and since deleted dbus binary.

Just restart dbus to resolve the issue

systemctl restart dbus

This also underscores why I prefer non-automatic updates. I want to be notified when updates are available and then I can push those updates out to the server. This way I know what is being updated. To each their own, though.
 
sparek said:
This notice is telling you that the current running dbus is using the old and since deleted dbus binary.
Click to expand...
That is the PT_DELETED setting I was referring too. One can also choose to disable that one. I also don't do auto updates, also like to see what happens or prevent erratic updates. :)
 
Richard G said:
That is the PT_DELETED setting I was referring too. One can also choose to disable that one. I also don't do auto updates, also like to see what happens or prevent erratic updates. :)
Click to expand...
Well, it's probably best to leave the setting in place and just restart dbus or whatever service is being mentioned.

Because the message is telling you that (in this particular case) the dbus that's running on the server is the old version of dbus. So you're not really reaping any benefits of the updated dbus (or whatever service) until you restart it.

Getting the messages from PT_DELETED is a good way to be reminded of this. As long as you understand what the message is saying and how to react to it - and don't necessarily go ballistic every time you see a scary email - it's serving it's purpose.
 
sparek said:
Well, it's probably best to leave the setting in place and just restart dbus or whatever service is being mentioned.
Click to expand...
Yes, that's why I wrote the service dbus restart command in there as solution.

I also leave the PT_DELETED in place, I only mentioned it because there are always people who don't want to receive those kind of messages. It's their choice. If it's a wise choice is a diffent story. ;)
 
service dbus restart was indeed the fix.

I appreciate yalls input.

I'm fairly new to DA so I haven't fully figured out the update process. Some things auto update while others don't.
 
You must log in or register to reply here.
Back
Top