Re: intrusion? find is thrashing my disk every time I boot.
Lowell Gilbert wrote: > "Steve Franks" <[EMAIL PROTECTED]> writes: > > I'm really no security expert. I don't leave the system up 24/7, and > > I'm on a US DSL connection with a bunch of windows boxes. > > > > Seems to be a recent phenomena, I've started experiencing disk > > thrashing I can hear across the room. ps and top report cvslockd has > > been responsible for the thrashing (which usually occurs at a specific > > time of day (~1 am MST)), but now, find is doing the thrashing at boot > > every time (within the last week at least). Needless to say, I > > haven't changed the system in any way during that week. On windows, > > I'd just assume this to be normal behavior, but on FreeBSD, it's got > > me worried... > > > > I presume the security section of the manual has a good into to > > detecting intruders, but first I'm interested if there is a legitimate > > reason for find to be torturing my disk. I don't run much on my > > system - apache, cvs, portsnap, ssh, that's about it. > > That's not really so little. I would tend to doubt it's a security > issue, but tracking it down is still a good idea. You should be able > to see what user is running the find, using ps(1), and that might give > a clue to what the purpose is (but probably not; it'll probably turn > out to be root). This script might be useful for that purpose: http://www.secnetix.de/olli/scripts/pidtrace Given the process ID of the "find" process on the command line, it will print its parent processes all the way up to init(8). That way you can easily find out if the "find" was started by a cron job, by an rc.d script, or something else. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd (On the statement print "42 monkeys" + "1 snake":) By the way, both perl and Python get this wrong. Perl gives 43 and Python gives "42 monkeys1 snake", when the answer is clearly "41 monkeys and 1 fat snake".-- Jim Fulton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: intrusion? find is thrashing my disk every time I boot.
2008/6/4 Steve Franks <[EMAIL PROTECTED]>: > I'm really no security expert. I don't leave the system up 24/7, and > I'm on a US DSL connection with a bunch of windows boxes. > > Seems to be a recent phenomena, I've started experiencing disk > thrashing I can hear across the room. ps and top report cvslockd has > been responsible for the thrashing (which usually occurs at a specific > time of day (~1 am MST)), but now, find is doing the thrashing at boot > every time (within the last week at least). Needless to say, I > haven't changed the system in any way during that week. On windows, > I'd just assume this to be normal behavior, but on FreeBSD, it's got > me worried... > I doubt that this is a security issue, but I think you've a silent filesystem corruption. Best thing to do would be to boot to single user and check all filesystems manually to make sure that there isn't anything that goes unnoticed. HTH Christian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: intrusion? find is thrashing my disk every time I boot.
"Steve Franks" <[EMAIL PROTECTED]> writes: > I'm really no security expert. I don't leave the system up 24/7, and > I'm on a US DSL connection with a bunch of windows boxes. > > Seems to be a recent phenomena, I've started experiencing disk > thrashing I can hear across the room. ps and top report cvslockd has > been responsible for the thrashing (which usually occurs at a specific > time of day (~1 am MST)), but now, find is doing the thrashing at boot > every time (within the last week at least). Needless to say, I > haven't changed the system in any way during that week. On windows, > I'd just assume this to be normal behavior, but on FreeBSD, it's got > me worried... > > I presume the security section of the manual has a good into to > detecting intruders, but first I'm interested if there is a legitimate > reason for find to be torturing my disk. I don't run much on my > system - apache, cvs, portsnap, ssh, that's about it. That's not really so little. I would tend to doubt it's a security issue, but tracking it down is still a good idea. You should be able to see what user is running the find, using ps(1), and that might give a clue to what the purpose is (but probably not; it'll probably turn out to be root). Once you've tried that, you could use sockstat(1) to track down what file the find operation is dumping into. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
intrusion? find is thrashing my disk every time I boot.
I'm really no security expert. I don't leave the system up 24/7, and I'm on a US DSL connection with a bunch of windows boxes. Seems to be a recent phenomena, I've started experiencing disk thrashing I can hear across the room. ps and top report cvslockd has been responsible for the thrashing (which usually occurs at a specific time of day (~1 am MST)), but now, find is doing the thrashing at boot every time (within the last week at least). Needless to say, I haven't changed the system in any way during that week. On windows, I'd just assume this to be normal behavior, but on FreeBSD, it's got me worried... I presume the security section of the manual has a good into to detecting intruders, but first I'm interested if there is a legitimate reason for find to be torturing my disk. I don't run much on my system - apache, cvs, portsnap, ssh, that's about it. Thanks, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"