tons of bash.exe, ping.exe & conhost.exe processes being created

[luckycharms]

hi,

i've never had issues with Prey before.  But now, all of a sudden, it's leaving tons of bash.exe, ping.exe and conhost.exe processes around.  If I let it go long enough, it will create thousands of these processes, and will bring my machine to a halt. Any idea what's going on, and how I might fix it?

thanks.

[Drew Reece]

What version do you have installed? The log should say.

http://support.preyproject.com/kb/troubleshooting/checking-preys-log-file

Post the log here if you want more help.

Do you have a pro account? 

Do you have the option for offline actions turned on for the device? - > look in the configuration 'sub tab' of the device.

Drew

--
------------
You can also ask for support on #preyproject channel at freenode IRC.
IRC link: irc://chat.freenode.net/preyproject
IRC http link: http://webchat.freenode.net/?channels=preyproject
------------
You received this message because you are subscribed to the Google
Groups "Prey" group.
To post to this group, send email to prey-s...@googlegroups.com
To unsubscribe from this group, send email to
prey-securit...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/prey-security?hl=en_US?hl=en

[luckycharms]

Version 0.5.3 installed.  Here are the entire contents of the log:

 ### PREY 0.5.3 spreads its wings!
 ### WindowsNT dont_even_look 1 6 x86

 -- Looking for connection...

I don't have a pro account.  Offline actions are unchecked.  Not requesting hardware scan.  Not auto-updating.
Reporting method = prey + control panel.  Prey settings: none set.  Run as a windows service, Frequency = 20 minutes.

any help greatly appreciated!  this problem is killing me...

[Tom Wood]

 

If those are the entire contents of the log, then prey is getting hung up and stays running forever…so you get a new set of processes every 20 minutes doing the same thing.

 

The question is why is it having a hard time finding a connection?

 

Could you reboot, delete the logfile as soon as you log in, then check the first log file that gets created (20 minutes later) to see if there is anything more there?   If it says the same thing, then I think you should just re-install.  There are some slightly newer versions available, so you can upgrade at the same time.

 

Tom

[Tomás Pollak]

On Tuesday, May 24, 2011 12:14:54 PM UTC-4, Tom wrote:

If those are the entire contents of the log, then prey is getting hung up and stays running forever…so you get a new set of processes every 20 minutes doing the same thing.

Good call Tom. 

 

The question is why is it having a hard time finding a connection?

If the problem appeared out of no reason, my guess is that a Windows Update modified the security settings. Or perhaps someone else installed a new firewall?

Tom

[luckycharms]

Tom & Tomas,

Thanks for your responses.  I've already tried re-installing, but no joy.  Same thing keeps happening.  I don't see any entries in windows firewall for prey.  Do I need to add one?  If so, what executable do i point to?

thanks.

[Tom Wood]

LuckyCharms,

  You say you tried to re-install, and yet you are not on the current version.  I’m not sure I understand this.  Have you tried downloading the current version and installing it?

 

  I don’t see any openings in my firewall for prey.  It uses normal web ports, so those can normally get through.  But you could try turning it off for a test.

 

  You can access http://control.preyproject.com, from your web browser on that same computer, right?

 

  Are any messages being generated into the system log?  Any other firewall?  Any other proxy?

 

Tomas & the developers:

  Does prey really wait forever for a connection in some circumstances?  Shouldn’t the process terminate and try again at the end of the repeat interval?

 

Tom

[Drew Reece]

I think 0.5.3 is the current release http://preyproject.com/download

The '-- looking for connection'  stage is right at the beginning of Preys scripts. It performs a ping to google to see if the internet is accessible. It should do one ping & then continue to either try another method (using curl), or move onto the next stage, (checking the device key is setup).

Both of the next steps begin with another entry to the log, if the ping fails you should see " -- Trying alternate method..." if the ping (or the curl) succeeds you should see " -- Got network connection!"

Are you able to edit the Prey scripts? You will need admin permission & a decent text editor (ideally with line numbers & some code highlighting helps) Any recommendations from Windows users?

You could add…

log "ping returns : $connected"

…right on the line 22 of prey/core/pull (after the connected=$(ping.... line)

That will state what the ping command is returning - it is entirely possible ping is just dying or being unusable in some weird way & reporting nothing.

Output should appear in the log. You could also show other variables to see what prey is using to create its commands eg

log "ping params : $ping_params"

It would also be worth trying a ping command from the Dos prompt to see if that can work for a normal user on that computer.

ping -n 1 www.google.com

…is the first command prey uses for Windows, type it in the run prompt & it should open a terminal window with the results IIRC.

Drew

[Tom Wood]

My mistake.  I thought we were on 0.5.4 already.

Tom

 

From: prey-s...@googlegroups.com [mailto:prey-s...@googlegroups.com] On Behalf Of Drew Reece

Sent: Friday, May 27, 2011 10:27 AM
To: prey-s...@googlegroups.com

Subject: Re: [Prey-Security] tons of bash.exe, ping.exe & conhost.exe processes being created

[luckycharms]

I have cygwin installed, and i think my path leads to cygwin's ping before windows' ping - not sure if that makes a difference.  Regardless, "ping -n 1" hangs, whereas "ping" works just fine.  See below.  Any thoughts?

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\username>ping -n 1 www.google.com
PING 1 (0.0.0.1): 0 data bytes

----1 PING Statistics----
13 packets transmitted, 0 packets received, 100.0% packet loss

C:\Users\username>ping www.google.com
PING www.l.google.com (74.125.91.147): 56 data bytes
64 bytes from 74.125.91.147: icmp_seq=0 ttl=49 time=204 ms
64 bytes from 74.125.91.147: icmp_seq=1 ttl=49 time=252 ms

----www.l.google.com PING Statistics----
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip (ms)  min/avg/max/med = 204/228/252/228

C:\Users\username>which ping
/usr/bin/ping

[Drew Reece]

I'm not sure if there is a way to set a search path with cygwin & Windows ?

On *nix I'd move the preferred path near to the start of the $PATH variable, so the working ping gets picked up first. You would do this for root, since that is how Prey is run, no idea how Windows does it :(

Are you saying the '-n 1' needs to be removed or can you find the version of ping that works with '-n 1'? I think it would be better to 'tweak a path' than to hack Prey unless it can be added for everyone.

Drew

[Drew Reece]

Here is where ping is used…

https://github.com/tomas/prey/blob/master/core/pull

If you want to modify the -n arg & try prey. 

Drew

On 29 May 2011, at 14:38, luckycharms wrote:

[Tom Wood]

The - n 1 tells windows ping to do only one ping.  Does the cygwin ping have the same option available?  If not, either fix prey to match cygwins switches, or change path to use windows path.

Tom

[luckycharms]

ok - changed the path, hope it works out.  I wonder if this should be something that prey checks for?  Surely lots of prey users will have cygwin installed.  Prey could hardcode the path to ping, or at least try the hardcoded path and if it fails, then fall back on using PATH...