From owner-freebsd-questions@FreeBSD.ORG Wed Jun 11 17:00:01 2008 Return-Path: Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9836B1065671 for ; Wed, 11 Jun 2008 17:00:01 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id DE4928FC12 for ; Wed, 11 Jun 2008 17:00:00 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m5BGxxIC063928; Wed, 11 Jun 2008 18:59:59 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m5BGxwiv063927; Wed, 11 Jun 2008 18:59:58 +0200 (CEST) (envelope-from olli) Date: Wed, 11 Jun 2008 18:59:58 +0200 (CEST) Message-Id: <200806111659.m5BGxwiv063927@lurza.secnetix.de> From: Oliver Fromme To: freebsd-questions@FreeBSD.ORG, stevefranks@ieee.org In-Reply-To: <447id4rlof.fsf@be-well.ilk.org> X-Newsgroups: list.freebsd-questions User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 11 Jun 2008 18:59:59 +0200 (CEST) Cc: Subject: Re: intrusion? find is thrashing my disk every time I boot. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@FreeBSD.ORG, stevefranks@ieee.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2008 17:00:01 -0000 Lowell Gilbert wrote: > "Steve Franks" writes: > > I'm really no security expert. I don't leave the system up 24/7, and > > I'm on a US DSL connection with a bunch of windows boxes. > > > > Seems to be a recent phenomena, I've started experiencing disk > > thrashing I can hear across the room. ps and top report cvslockd has > > been responsible for the thrashing (which usually occurs at a specific > > time of day (~1 am MST)), but now, find is doing the thrashing at boot > > every time (within the last week at least). Needless to say, I > > haven't changed the system in any way during that week. On windows, > > I'd just assume this to be normal behavior, but on FreeBSD, it's got > > me worried... > > > > I presume the security section of the manual has a good into to > > detecting intruders, but first I'm interested if there is a legitimate > > reason for find to be torturing my disk. I don't run much on my > > system - apache, cvs, portsnap, ssh, that's about it. > > That's not really so little. I would tend to doubt it's a security > issue, but tracking it down is still a good idea. You should be able > to see what user is running the find, using ps(1), and that might give > a clue to what the purpose is (but probably not; it'll probably turn > out to be root). This script might be useful for that purpose: http://www.secnetix.de/olli/scripts/pidtrace Given the process ID of the "find" process on the command line, it will print its parent processes all the way up to init(8). That way you can easily find out if the "find" was started by a cron job, by an rc.d script, or something else. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd (On the statement print "42 monkeys" + "1 snake":) By the way, both perl and Python get this wrong. Perl gives 43 and Python gives "42 monkeys1 snake", when the answer is clearly "41 monkeys and 1 fat snake". -- Jim Fulton